System Forensics

All your artifacts are belong to us.

Do not fumble the lateral movement

I posted a blog post about Windows Processes and how knowing what’s “normal” can be used to spot malicious processes. You can find the post here:

http://sysforensics.org/2014/01/know-your-windows-processes.html

I got quite a bit of positive feedback on that post so I figured I would write a similar one for spotting lateral movement on systems. There are other ways to achieve the below, but these are the most common indicators I see humans and malware make when conducting lateral movements.

[Update: Adding CAPS]
Also, before I get any more emails on this…. NOT ALL of these WILL be created. It will vary CASE-BY-CASE. And just because you see some of these DOES NOT mean you have been attacked or that you have lateral movements within your company.

Prefetch Files Created:

- AT.EXE (scheduled jobs/tasks)
- SCHTASKS.EXE (scheduled jobs/tasks)
- CMD.EXE (Obviously common, but I included it anyway.)
- NET.EXE (net view, etc.)
- NET1.EXE (net use)
- NETSTAT.EXE (netstat -ano)
- REG.EXE (reg query and reg add)
- SC.EXE (interact with services)
- SYSTEMINFO.EXE (system profiling)
- TASKKILL.EXE (kill running processes – taskkill /f /im <process_name> or by PID.)
- TASKLIST.EXE (tasklist /v)
- POWERSHELL.EXE (interact with powershell)
- NBTSTAT.EXE (profile)
- XCOPY.EXE (copy files around)
- NSLOOKUP.EXE (profile)
- QUSER.EXE (profile)
- PING.EXE (check connectivity)
- FTP.EXE (download/upload)
- BITSADMIN.EXE (download/upload)
- ROUTE.EXE (adding persistent routes)
- REGSVR32.EXE (services)
- MAKECAB.EXE (compression before exfil)

You will also see System Internals (ex. PsExec), various archiving tools (ex. winrar), etc. used as well but they often times rename them. Look at prefetch files for odd names, usually 3 characters or less. They like to use short file names. On the flip side, look for the real winrar, psexec, etc. names within prefetch files as well. Also keep an eye out for the prefetch hash value after the name as this can indicate a file was executed, but from a different location. For example, if cmd.exe was run from system32 and from %temp%.

I will also quickly add that with the new(er) version of PsExec you can rename the PsExec service name (via -r) that’s created on the remote host. This is something to keep in mind.

Event Logs:

- 528 Type 10 -> Successful Logon via RDP/Terminal Services
- 529 -> Failed Logon
- 538 -> Successful logoff
- 540 Type 3 -> Network Logon
- 682 -> RDP Session connected and reconnected
- 683 -> RDP Session disconnected
- 7035 -> Service was successfully sent a start/stop control (Look for PsExec here)
- 7036 -> The service entered the running/stopping state
- 7045 -> A service was installed in the system (Look for PsExec service installs)
- 1116 -> Microsoft Malware Protection
- <Any other AV products>

Hint: Add 4096 to Win XP EventIDs to get the Windows 7 id number. It doesn’t work for all, but most of the common ones.

RDP Artifacts:

- Default.rdp created (Hidden file in My Documents)
- %appdata%\Microsoft\Terminal Server Client\Cache\bcache22.bmc

Networking:

- tcp/445 between two user workstations (filesharing)
- tcp/3389 between two user workstations or non-terminal server systems (RDP)

This is where knowing what your systems do/are is important. RDP to a terminal server might be, ok but RDP between someone in Accounting and HR isn’t a good thing (normally).

Registry:

- NTUSER and Software Run Keys (don’t forget about Wow6432Node keys)
- Services
- MountPoints2 (##Server_Name#Share_Name)
- Mount Network Drive MRU (WinXP)
- SysInternals Key (populated when EULA accepted)
- Archive Locations (WinZip, WinRar, 7-zip, etc.)
- ShellBags

There are MANY other places to hide (BHOs, Winlogon, App_Init, Shell, Active Setup, etc.) and tons of other artifacts created within the registry when malware/people run malware/perform lateral movements, but i’m only listing the more commonly used ones related to lateral movements (not persistence). The registry alone is 20+ blog posts so i’m trying to stay focused on just a few common areas (at least from what I personally see). I added a good persistence reference link in the references section.

I have some plugins already written that will check commonly used malware locations inside the registry. You can find me code here: https://github.com/sysforensics/autoreg-parse (written in Python).

Thanks to @williballenthin for writing python-registry. I’m still writing more plugins so if you want to help, feel free. If not, let me know which plugins you need/want.

As an alternative to auroreg-parse you could always use RegRipper (written by Harlan Carvey in Perl) here: https://code.google.com/p/regripper. He has been known to write RR plugins the same day he gets a request and also takes suggestions on which plugins to write.

Jobs/Tasks:

- Scheduled Tasks/AT Jobs

Services:

- Specifically Start Type 2 (auto-start) with Type 10
- Also look for ones that have ErrorControl set to 0×0.
- They will sometimes have weird names but sometimes they will have very convincing names
- Look for anything not running within System32 (autoreg-parse will do this for you)
- If it’s in System32 they more than likely time stomped it so you won’t see it without comparing $SI and $FN times. It’s possible they only stomped the modification time to fool you when viewing it inside Windows Explorer. Add the “created” column in Windows Explorer before moving on to the the master file table (MFT).
- More than likely it’s not signed

File Names:

- Not fool proof, but they like to use 1 – 3 character file names. This includes renamed tools, key logging logs, archived exfil data (ex. 4.rar), etc. Watch out for these. It doesn’t mean they are malicious, but just something to make note of.

Malware often Hides/Executes from:

- %temp%
- %appdata%
- %localappdata% (Win7)
- %systemroot%\System32
- %systemdrive%
- %programdata%
- %allusersprofile%
- %commonprogramfiles%
- $Recycle.Bin
- Startup Folder (As .vbs or .lnk)

Often times malware will hide in the root of these locations. I’ve seen them moving more and more towards one or two directories deep, which defeats simple endpoint protection rules that were quite effective in the past. I would say, %temp% and %appdata% are most common from what I see. With either Startup and/or System32 a close third. If services are involved it’s typically running out of System32.

Example:

So here is an example of how this all might play out.

- Machine gets owned
- systeminfo (or some other system profiling command(s))
- tasklist /v
- net view, netstat, etc.
- cd c:\
- dir
- reg query \CurrentVersion\Run
- Downloads some malware/tool kit
- reg add \CurrentVersion\Run /v malware.exe (sets persistence)
- archives some stuff up and exfiltrates it
- escalates privs if not done already
- moves around your network (net use, psexec, etc.)
- steals more stuff
- repeats this for a year until you detect it or someone calls you. Then you take months to fix it (if ever).

I find that run keys, AT jobs and services are most commonly used with these kind of cases.

Summary:

By now you might be thinking, “That’s all great, but that stuff happens all the time within my environment. Our System Administrators and Help Desk do that kind of stuff all the time.” You’re right… That is why they (read: attackers) do it.

No one said it was going to be easy. If you want easy, find a red light district.

References:

@TekDefense (Ian)- tekdefense.com
@hiddenillusion (Glenn) – hiddenillusion.blogspot.com
@keydet89 (Harlan) pointed me here too: http://windowsir.blogspot.sg/2013/07/howto-track-lateral-movement.html
@4n6k – http://www.4n6k.com/2013/12/shellbags-forensics-addressing.html

Registry References:

http://www.cylance.com/techblog/Windows-Registry-Persistence-Part2.shtml

, , , ,

Comments are currently closed.