This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts provide essential information and insights about the attack trends that are driving the malicious campaigns and best practices for both detection and incident response.
If there is one thing the past few years have taught us well, it is that the security game has shifted. The work of security teams - long focused on keeping “bad guys out” - has morphed into one that encompasses both that and identifying the bad guys who have already gotten in. And, as the recent nation-state attacks on government agencies and private sector firms indicate, the means and methods by which bad guys might get in become more sophisticated by the day.
That’s why spotting attackers’ malicious and suspicious behavior within a compromised environment is a key capability for any modern information security group. Increasingly, that involves detecting so-called “lateral movement”: efforts by attackers to move from an initial point of compromise to access and then control other, valuable IT assets within an environment. The desire of attackers to lay low and expand their reach and control is one reason that credential theft and privilege escalation attacks on critical control infrastructure like Active Directory and Kerberos have become so commonplace - even popping up as a feature in ransomware and other malicious applications.
No Silver Bullet for Detecting Lateral Movement
In prior posts, we have discussed how our Q:CYBER product is used to help organizations detect common tactics for privilege escalation and lateral movement, such as Pass The Hash and Overpass the Hash attacks. Detecting the great variety of lateral movement techniques used by sophisticated adversaries is equal parts art and science, in which attackers continually modify their tactics to avoid detection and prompt defenders to devise new methods of detection to avoid losing situational awareness. The parade of successful attacks in just the last year suggests that the advantage goes to the attackers, unless meaningful detection capabilities are implemented at key chokepoints like authentication.
Much has been published on the topic of lateral movement detection - and much of it is in the public domain. This content provides a wealth of information for security organizations that can be applied during threat hunting. In this and subsequent posts, we’re going to call attention to some of the more useful resources on lateral movement detection, making note of some of the through-lines and common themes, as well as areas where organizations will need to go beyond the standard guidance to tailor threat hunting to their unique circumstances.
Q:Cyber provides more advanced detections than those considered by JP-CERT, such as our external validation off the Kerberos protocol to stop Kerberos ticket forgeries, but this deep dive into JP CERT’s work is complementary and illustrative.
JP CERT: Windows Event Logs To Identify Tools
Sophisticated adversaries have gotten good at “living off the land,” meaning: using standard administrative tools to conduct reconnaissance and lateral movement. Still, “hackers gonna hack,” as the saying goes, and spotting malicious tools or legitimate tools that are being abused is still one of the best ways to identify a malicious actor in your environment.
To that end, Japan’s Computer Emergency Response Team (JP CERT) has published a detailed analysis of common tools used in both compromises and to further lateral movement. The report, Detecting Lateral Movement through Tracking Event Logs (Version 2) (PDF) is available for download.
While the report is more than three years old now, it provides a highly valuable list of common hacking tools and techniques that is still very relevant. Additionally, the JP CERT write-up provides detailed analysis of 49 tools that are “directly related to attack operations” such as credential theft, command execution, remote login and so on.
For example, Windows Management Instrumentation (WMI) is a common Windows administrative tool that provides for local and remote access to Windows system components. It relies on the WMI service for local and remote access. Malicious actors often abuse the WMI service (wmic.exe) to achieve local execution on compromised hosts. The JP CERT analysis provides detailed descriptions of Windows Events on both the source and destination hosts that may indicate malicious use of wmic.exe to obtain execution privileges on a system - new processes spawned, modifications to the Windows registry, changes in permissions and so on.
JP CERT’s Tool Analysis Results Sheet acts as a cross reference for security teams to identify the use or presence of a malicious or suspicious tool within a Windows environment. That is especially useful in identifying hackers’ attempts to “live off the land” and harness native Windows administrative functions and tools to persist in a compromised environment.
However useful, JP CERT’s list of tools and commands has limitations. First, as JP CERT admits, Windows Event Logs are not proof positive of malicious activity. The information they contain - such as Windows Event IDs - must be combined and correlated with other Event IDs and behaviors as well as historic information to establish context.
Second, for malicious or dual-use applications that are not standard Windows components or administrative tools, the JP CERT guidance often fails to account for the near certainty that adversaries will hide or obfuscate the tool to avoid detection. While JP CERT detections account for renamed executables, tools such as Mimikatz are often run in memory to avoid detection by antivirus and endpoint protection, meaning they will not generate Windows events during process execution.
Long and short: JP CERT’s report Detecting Lateral Movement Through Tracking Event Logs (Version 2) and the related Tool Analysis are useful resources that can accelerate threat hunting and help with the creation of detection rules by your team. However, few of the JP CERT detections are of high enough fidelity to stand on their own. They must be combined and correlated with other logs and events to prevent false-positive detections and produce confident detections about malicious activity.
In a subsequent blog post, we will examine the Capability Abstraction method for creating and operationalizing additional detections in Q:Cyber including those recommended by JP CERT. The pre-built detections in Q:Cyber’s Identity Assurance module (data sheet) provide industry leading capabilities for attacks like Golden Ticket, Silver Ticket, DC Sync, DC Shadow, Pass-the-Ticket (PtT), Pass-the-Hash (PtH), and so on.