📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • Velociraptor Lateral Movement Exercise
  • 1. Introduction and Tasks
  • 2. Detect the execution of PsExec
  • 3. Windows Event ID 4648
  • 4. Timestamps
  • 5. Windows Event ID 4624
  • 6. Mimikatz

Was this helpful?

  1. Live Response
  2. Windows Response LAB

Lateral Movement Detection

Velociraptor Lateral Movement Exercise

1. Introduction and Tasks

Lateral movement means to move within the internal network to access the organization’s target data and to exfiltrate the data. In this challenge you will solve tasks to detect lateral movement using Velociraptor.

Someone exfiltrated the files from Domain Controller DC1 using the compromised Domain Administrator account ffast. In this task, we want to find out how the adversary compromised the Domain Administrator account ffast. You suspect that the attacker used the pass the hash technique with Psexec and mimikatz. Now it is your task to prove that.

  1. Provide an Artifact that detects the execution of PsExec. The Artifact must show the first execution time of PsExec in date time format.

  2. Use Windows Event ID 4648 to find out the user that executed PsExec to become Domain Administrator ffast on destination computer (i.e. DC1). Provide an Artifact for this purpose. It should show at least the parameters SubjectUserName, TargetUserName, TargetServerName and LogonTime (in date time format) from Windows Event ID 4648.

  3. In question 1 and 2 you found some timestamps in date time format. Do a temporal correlation with them. And reason if they could relate to each other.

  4. Use Windows Event ID 4624 to find the user that executed PsExec to become Domain Administrator ffast on the source computer.

Provide an Artifact for this purpose. It should show at least the parameters IpAddress (of the source), TargetUserName and LogonType from Windows Event ID 4624. 5. Find out if mimikatz was executed using Velociraptor and Amcache.

2. Detect the execution of PsExec

Velociraptor brings the artifact Windows.Registry.Sysinternals.Eulacheck, but it will only check the HKCU Key and will not check against users that are not currently logged in.

Let's create a custom artifact to check the amcache for psexec

name: Custom.Windows.Cybercop.psexec
description: |
    Get information from the sys

parameters:
    - name: exeName
      default: "psexec"

precondition: |
    SELECT OS From info() where OS = 'windows'
    
sources:

    - name: AmCache
      queries:
        - SELECT * FROM Artifact.Windows.System.Amcache()
            WHERE Name =~ exeName

After a while we can see that Psexec was executed on FS1

3. Windows Event ID 4648

The SANS Poster Hunt Evil also lists that when PsExec is executed, a Windows Event with ID 4648 is logged if alternate credentials were specified. Velociraptor provides an artifact which we can use to search for specific logon ID’s.

Let's create a custom artifact for that:

name: Custom.Windows.EventLogs.AlternateLogon4648
description: |
  Logon specifying alternate credentials - if NLA enabled on
  destination Current logged-on User Name Alternate User Name
  Destination Host Name/IP Process Name

reference:
  - https://digital-forensics.sans.org/media/SANS_Poster_2018_Hunt_Evil_FINAL.pdf

precondition: SELECT OS From info() where OS = 'windows'

parameters:
  - name: securityLogFile
    default: C:/Windows/System32/Winevt/Logs/Security.evtx

sources:
  - queries:
      - SELECT EventData.IpAddress AS IpAddress,
               EventData.IpPort AS Port,
               EventData.ProcessName AS ProcessName,
               EventData.SubjectUserSid AS SubjectUserSid,
               EventData.SubjectUserName AS SubjectUserName,
               EventData.TargetUserName AS TargetUserName,
               EventData.TargetServerName AS TargetServerName,
               timestamp(epoch=System.TimeCreated.SystemTime ) as Time
        FROM parse_evtx(filename=securityLogFile)
        WHERE System.EventID.Value = 4648
        ORDER BY Time

Results from FS1

ladmin becomes ffast

Results from Client1

I didn't get any information from Client1 back

4. Timestamps

PSEXEC was executed on FS1 with the following timestamp:

2022-05-25T20:15:28.818295955Z

As mentioned above the artifact Windows.Registry.Sysinternals.Eulacheck does not give sufficient results. The reason for this is pretty sure that the Artifact is looking in the registry and the corresponding entries are not there. This can be because the attacker deleted these entries to hide his activities.

5. Windows Event ID 4624

Results on FS1

6. Mimikatz

To check if mimikatz was executed we can use again the amcache artifact that I've allready used for the psexec detection.

name: Custom.Windows.Cybercop.psexec
description: |
    Get information from the sys

parameters:
    - name: exeName
      default: "mimikatz"

precondition: |
    SELECT OS From info() where OS = 'windows'
    
sources:

    - name: AmCache
      queries:
        - SELECT * FROM Artifact.Windows.System.Amcache()
            WHERE Name =~ exeName

Mimikatz was executed on FS1 from C:\Windows\Temp

PreviousWindows Response LABNextDetect persistence

Last updated 2 years ago

Was this helpful?