Lateral Movement Detection
Velociraptor Lateral Movement Exercise
1. Introduction and Tasks
Lateral movement means to move within the internal network to access the organization’s target data and to exfiltrate the data. In this challenge you will solve tasks to detect lateral movement using Velociraptor.
Someone exfiltrated the files from Domain Controller DC1 using the compromised Domain Administrator account ffast. In this task, we want to find out how the adversary compromised the Domain Administrator account ffast. You suspect that the attacker used the pass the hash technique with Psexec and mimikatz. Now it is your task to prove that.
Provide an Artifact that detects the execution of PsExec. The Artifact must show the first execution time of PsExec in date time format.
Use Windows Event ID 4648 to find out the user that executed PsExec to become Domain Administrator ffast on destination computer (i.e. DC1). Provide an Artifact for this purpose. It should show at least the parameters SubjectUserName, TargetUserName, TargetServerName and LogonTime (in date time format) from Windows Event ID 4648.
In question 1 and 2 you found some timestamps in date time format. Do a temporal correlation with them. And reason if they could relate to each other.
Use Windows Event ID 4624 to find the user that executed PsExec to become Domain Administrator ffast on the source computer.
Provide an Artifact for this purpose. It should show at least the parameters IpAddress (of the source), TargetUserName and LogonType from Windows Event ID 4624. 5. Find out if mimikatz was executed using Velociraptor and Amcache.
2. Detect the execution of PsExec
Velociraptor brings the artifact Windows.Registry.Sysinternals.Eulacheck
, but it will only check the HKCU Key and will not check against users that are not currently logged in.
Let's create a custom artifact to check the amcache for psexec
name: Custom.Windows.Cybercop.psexec
description: |
Get information from the sys
parameters:
- name: exeName
default: "psexec"
precondition: |
SELECT OS From info() where OS = 'windows'
sources:
- name: AmCache
queries:
- SELECT * FROM Artifact.Windows.System.Amcache()
WHERE Name =~ exeName
After a while we can see that Psexec was executed on FS1

3. Windows Event ID 4648
The SANS Poster Hunt Evil also lists that when PsExec is executed, a Windows Event with ID 4648 is logged if alternate credentials were specified. Velociraptor provides an artifact which we can use to search for specific logon ID’s.

Let's create a custom artifact for that:
name: Custom.Windows.EventLogs.AlternateLogon4648
description: |
Logon specifying alternate credentials - if NLA enabled on
destination Current logged-on User Name Alternate User Name
Destination Host Name/IP Process Name
reference:
- https://digital-forensics.sans.org/media/SANS_Poster_2018_Hunt_Evil_FINAL.pdf
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: securityLogFile
default: C:/Windows/System32/Winevt/Logs/Security.evtx
sources:
- queries:
- SELECT EventData.IpAddress AS IpAddress,
EventData.IpPort AS Port,
EventData.ProcessName AS ProcessName,
EventData.SubjectUserSid AS SubjectUserSid,
EventData.SubjectUserName AS SubjectUserName,
EventData.TargetUserName AS TargetUserName,
EventData.TargetServerName AS TargetServerName,
timestamp(epoch=System.TimeCreated.SystemTime ) as Time
FROM parse_evtx(filename=securityLogFile)
WHERE System.EventID.Value = 4648
ORDER BY Time
Results from FS1
ladmin
becomes ffast

Results from Client1
I didn't get any information from Client1 back
4. Timestamps
PSEXEC was executed on FS1 with the following timestamp:
2022-05-25T20:15:28.818295955Z
As mentioned above the artifact Windows.Registry.Sysinternals.Eulacheck does not give sufficient results. The reason for this is pretty sure that the Artifact is looking in the registry and the corresponding entries are not there. This can be because the attacker deleted these entries to hide his activities.
5. Windows Event ID 4624

Results on FS1

6. Mimikatz
To check if mimikatz was executed we can use again the amcache artifact that I've allready used for the psexec detection.
name: Custom.Windows.Cybercop.psexec
description: |
Get information from the sys
parameters:
- name: exeName
default: "mimikatz"
precondition: |
SELECT OS From info() where OS = 'windows'
sources:
- name: AmCache
queries:
- SELECT * FROM Artifact.Windows.System.Amcache()
WHERE Name =~ exeName
Mimikatz was executed on FS1 from C:\Windows\Temp

Last updated
Was this helpful?