Lateral Movement Detection

Velociraptor Lateral Movement Exercise

1. Introduction and Tasks

Lateral movement means to move within the internal network to access the organization’s target data and to exfiltrate the data. In this challenge you will solve tasks to detect lateral movement using Velociraptor.

Someone exfiltrated the files from Domain Controller DC1 using the compromised Domain Administrator account ffast. In this task, we want to find out how the adversary compromised the Domain Administrator account ffast. You suspect that the attacker used the pass the hash technique with Psexec and mimikatz. Now it is your task to prove that.

1. Provide an Artifact that detects the execution of PsExec. The Artifact must show the first execution time of PsExec in date time format.

2. Use Windows Event ID 4648 to find out the user that executed PsExec to become Domain Administrator ffast on destination computer (i.e. DC1). Provide an Artifact for this purpose. It should show at least the parameters SubjectUserName, TargetUserName, TargetServerName and LogonTime (in date time format) from Windows Event ID 4648.

3. In question 1 and 2 you found some timestamps in date time format. Do a temporal correlation with them. And reason if they could relate to each other.

4. Use Windows Event ID 4624 to find the user that executed PsExec to become Domain Administrator ffast on the source computer.

Provide an Artifact for this purpose. It should show at least the parameters IpAddress (of the source), TargetUserName and LogonType from Windows Event ID 4624. 5. Find out if mimikatz was executed using Velociraptor and Amcache.

2. Detect the execution of PsExec

Velociraptor brings the artifact Windows.Registry.Sysinternals.Eulacheck, but it will only check the HKCU Key and will not check against users that are not currently logged in.

Let's create a custom artifact to check the amcache for psexec

name: Custom.Windows.Cybercop.psexec
description: |
    Get information from the sys

parameters:
    - name: exeName
      default: "psexec"

precondition: |
    SELECT OS From info() where OS = 'windows'
    
sources:

    - name: AmCache
      queries:
        - SELECT * FROM Artifact.Windows.System.Amcache()
            WHERE Name =~ exeName

After a while we can see that Psexec was executed on FS1

3. Windows Event ID 4648

The SANS Poster Hunt Evil also lists that when PsExec is executed, a Windows Event with ID 4648 is logged if alternate credentials were specified. Velociraptor provides an artifact which we can use to search for specific logon ID’s.

Let's create a custom artifact for that:

name: Custom.Windows.EventLogs.AlternateLogon4648
description: |
  Logon specifying alternate credentials - if NLA enabled on
  destination Current logged-on User Name Alternate User Name
  Destination Host Name/IP Process Name

reference:
  - https://digital-forensics.sans.org/media/SANS_Poster_2018_Hunt_Evil_FINAL.pdf

precondition: SELECT OS From info() where OS = 'windows'

parameters:
  - name: securityLogFile
    default: C:/Windows/System32/Winevt/Logs/Security.evtx

sources:
  - queries:
      - SELECT EventData.IpAddress AS IpAddress,
               EventData.IpPort AS Port,
               EventData.ProcessName AS ProcessName,
               EventData.SubjectUserSid AS SubjectUserSid,
               EventData.SubjectUserName AS SubjectUserName,
               EventData.TargetUserName AS TargetUserName,
               EventData.TargetServerName AS TargetServerName,
               timestamp(epoch=System.TimeCreated.SystemTime ) as Time
        FROM parse_evtx(filename=securityLogFile)
        WHERE System.EventID.Value = 4648
        ORDER BY Time

Results from FS1

ladmin becomes ffast

Results from Client1

I didn't get any information from Client1 back

4. Timestamps

PSEXEC was executed on FS1 with the following timestamp:

2022-05-25T20:15:28.818295955Z

As mentioned above the artifact Windows.Registry.Sysinternals.Eulacheck does not give sufficient results. The reason for this is pretty sure that the Artifact is looking in the registry and the corresponding entries are not there. This can be because the attacker deleted these entries to hide his activities.

5. Windows Event ID 4624

Results on FS1

6. Mimikatz

To check if mimikatz was executed we can use again the amcache artifact that I've allready used for the psexec detection.

name: Custom.Windows.Cybercop.psexec
description: |
    Get information from the sys

parameters:
    - name: exeName
      default: "mimikatz"

precondition: |
    SELECT OS From info() where OS = 'windows'
    
sources:

    - name: AmCache
      queries:
        - SELECT * FROM Artifact.Windows.System.Amcache()
            WHERE Name =~ exeName

Mimikatz was executed on FS1 from C:\Windows\Temp