I posted a blog post about Windows Processes and how knowing what's "normal" can be used to spot malicious activity. You can find it here Know your Windows Processes or Die Trying
I got quite a bit of positive feedback on that post so I figured I would write a similar one for spotting lateral movement on systems.
Let me make a quick comment before you keep reading.... NOT ALL of these artifacts WILL be created and even if they are, it's possible they aren't related. It will vary case-by-case. That's what makes this so much fun. Again... just because you see some of these DOES NOT mean you have been attacked or that you have lateral movement going on within your company/organization.
Prefetch Files Created
- AT.EXE (scheduled jobs/tasks)
- SCHTASKS.EXE (scheduled jobs/tasks)
- CMD.EXE (Obviously common, but I included it anyway. Especially if the prefetch hash doesn't match the legitimate ones. )
- NET.EXE (net view, etc.)
- NET1.EXE (net use)
- NETSTAT.EXE (netstat -ano)
- REG.EXE (reg query and reg add)
- SC.EXE (interact with services)
- SYSTEMINFO.EXE (system profiling)
- TASKKILL.EXE (kill running processes)
- TASKLIST.EXE (tasklist /v)
- POWERSHELL.EXE (interact with powershell)
- NBTSTAT.EXE (profile)
- XCOPY.EXE (copy files around)
- NSLOOKUP.EXE (profile)
- QUSER.EXE (profile)
- RAR.EXE (Exfil or Tool dropping) * And other archive utilities (Ex. 7zip)
- PING.EXE (check connectivity)
- FTP.EXE (download/upload)
- Various Sysinternal tools (Psexec, sdelete, etc.)
- BITSADMIN.EXE (download/upload)
- ROUTE.EXE (adding persistent routes)
- REGSVR32.EXE (services)
- MAKECAB.EXE (compression before exfil)
- Then obviously the name of any malware they use:
You will also see System Internals (ex. PsExec), various archiving tools (ex. winrar), etc. used as well but they often times rename them. Look at prefetch files for odd/suspicious names. Also keep an eye out for the prefetch hash value after the name as this can indicate a file was executed, but from a different location. For example, if cmd.exe was run from system32 and from %temp%, or even SysWOW.
I will also quickly add that with the new(er) version of PsExec you can rename the PsExec service name (via -r) that's created on the remote host. This is something to keep in mind.
- 4624 Type 10 Successful Logon via RDP/Terminal Services
- 4624 Type 3 Network Logon
- 4648 Explicit Credentials
- 4778 RDP Session connected and reconnected
- 4779 RDP Session disconnected
- 106 Registered a task (has user name) at.exe
- 140 Updated a task (has user name) * schtasks.exe
- 129 Launch action
- 201 Successfully completed a task
- 7035 Service was successfully sent a start/stop control (Look for PsExec here)
- 7036 The service entered the running/stopping state
- 7045 A service was installed in the system (Look for PsExec service installs)
- 24/25 Remote Desktop Services: Session has been disconnected / Session reconnection succeeded
- Default.rdp created (Hidden file in My Documents)
- %appdata%\Microsoft\Terminal Server Client\Cache\bcache22.bmc
- Event log entries (see above)
If you allow host-to-host communication, most likely they are simply moving around via SMB shares, pass-the-hash (mimikatz, Windows Credential Editor (wce), etc.)
- tcp/3389 (RDP)
This is where knowing what your systems do/are is important. RDP to a terminal server might be, ok but RDP between someone in Accounting and HR isn't a good thing (normally).
- NTUSER and Software Run Keys (don't forget about Wow6432Node keys)
- MountPoints2 (##ServerName#ShareName)
- Mount Network Drive MRU (WinXP)
- SysInternals Key (populated when EULA accepted)
- Archive Locations (WinZip, WinRar, 7-zip, etc.)
There are MANY other places to hide (BHOs, Winlogon, App_Init, Shell, Active Setup, etc.) and tons of other artifacts created within the registry when malware/people run malware/perform lateral movements, but i'm only listing the more commonly used ones related to lateral movements (not persistence). The registry alone is 20+ blog posts so i'm trying to stay focused on just a few common areas (at least from what I personally see).
- Scheduled Tasks/AT Jobs
- Event log entries
- Specifically Start Type 2 (auto-start) with Type 10
- Also look for ones that have ErrorControl set to 0x0.
- They will sometimes have weird names but sometimes they will have very convincing names
- Look for anything not running within System32 (autoreg-parse will do this for you)
- If it's in System32 they more than likely time stomped it so you won't see it without comparing $SI and $FN times. It's possible they only stomped the modification time to fool you when viewing it inside Windows Explorer. Add the "created" column in Windows Explorer before moving on to the the master file table (MFT).
- More than likely it's not signed
Not fool proof, but they like to use 1 - 3 character file names. This includes renamed tools, key logging logs, archived exfil data (ex. 4.rar), etc. Watch out for these. It doesn't mean they are malicious, but just something to make note of. A good place to look for these files names are within AppCompatCache.
Malware often Hides/Executes from
- %temp% (root)
(a lot of times with single letters/numbers - %temp%\1_malare_
- %localappdata% (Win7)
- Recycle bin
- Startup Folder (As .vbs or .lnk)
- Replace startup folder location in registry
- Replaces system files that already have persistence set in the registry
So here is an example of how this all might play out.
- Machine gets owned
- systeminfo (or some other system profiling command(s))
- tasklist /v
- net view, netstat, etc.
- cd c:\
- reg query \CurrentVersion\Run
- Downloads some malware/tool kit
- reg add \CurrentVersion\Run /v malware.exe (or sets some other kind of persistence)
- archives some stuff up
- exfiltrates it
- escalates privs (if not done already)
- moves around your network (net use, psexec, etc.)
- steals more stuff
- repeats this for a year until you detect it or someone calls you.
- you take months to fix it (if ever)
By now you might be thinking, "That's all great, but that stuff happens all the time within my environment. Our System Administrators and Help Desk do that kind of stuff all the time." You're right... That is why they (read: attackers) do it.
No one said it was going to be easy. If you want easy, find a red light district.