A Forensic Analysis of APT Lateral Movement in
- Slides: 40
A Forensic Analysis of APT Lateral Movement in Windows Environment Ahn. Lab Junghoon Oh jh. oh@ahnlab. com
Agenda 01 Introduction 02 Method of Lateral Movement 03 Forensic Analysis for Lateral Movement 04 Case Study 05 Conclusion
Introduction
Introduction Lateral Movement ? Initial Breach~!!! Lateral Movement Copyright (C) Ahn. Lab, Inc. All rights reserved. Accomplishing Goal of Attack~!!
Introduction Need for Tracing Lateral Movement Finding Root Cause~!!! Tracing Lateral Movement Copyright (C) Ahn. Lab, Inc. All rights reserved. Detecting Attack~!!! 5
Method of Lateral Movement
Method of Lateral Movement Active Directory Environment( in Same Domain ) Administrator System Using Domain Administrator Account R D P Stealing Domain Administrator’s Using Domain Administrator’s NTLM Domain Administrator’s encrypted ID/PW is. SSO(Single saved NTLM Credentials for Sign-On) is saved Decrypted ID/PW or NTLM in Memory(Kerberos. dll, or ID/PW Directly in Memory(Msv 1_0. dll) Credentials From Memory Wdigest. dll, tspkg. dll) Network Share Point Copy Backdoor Run Backdoor Normal System Compromised System Copyright (C) Ahn. Lab, Inc. All rights reserved. sc, at, wmic, reg, psexec, winrs Normal System Compromised System 7
Method of Lateral Movement Multi-Domain Environment A Domain DC Copyright (C) Ahn. Lab, Inc. All rights reserved. Trust Relationship B Domain DC
Method of Lateral Movement Non-Active Directory Environment Stealing Local Administrator’s ID/PW(Kerberos. dll, tspkg. dll) All Systems Wdigest. dll, have same and Using. Administrator Local Administrator’s Local Account NTLM Credentials(Msv 1_0. dll) NTLM Credentials or ID/PW (Same From ID/PW) Memory Network Share Point Copy Backdoor Run Backdoor Compromised System Copyright (C) Ahn. Lab, Inc. All rights reserved. sc, at, wmic, reg, psexec, winrs Normal System Compromised System 9
Forensic Analysis
Forensic Analysis Layout of Lateral Movement Escalation of Privileges Network. Share Point Copy Backdoor Run Backdoor Attacker System Victim System sc, at, wmic, reg, psexec, winrs Anti Forensics Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis Program Execution • • Location : Attacker System Artifact ü Attacker System Prefetch WCE Execution ~!! ü Shim Cache( in Registry ) ü User. Assist( in Registry ) Copyright (C) Ahn. Lab, Inc. All rights reserved. Cain&Abel Execution~!!
Forensic Analysis Program Execution • • Location : Attacker System Artifact ü Attacker System Recent. File. Cache. bcf Launching Job Scheduler for Installing Malware and Erasing Event Log With wevtutil Launching Malware for Stealing NTLM Credentials ü Strings in Memory Launching WCE~!! Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis Program Execution • • Location : Attacker System Artifact : wceaux. dll ü Attacker System Dropped DLL from wce. exe § This DLL is injected to LSASS. EXE and used for acquiring/replacing Credentials. § Usually malware saves this dll in it’s resource area and use dll’s export functions. Malware uses these functions~!! Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis Program Execution • • Location : Attacker System Artifact : sekurlsa. dll ü Attacker System DLL used by mimikatz. exe § This DLL is injected to LSASS. EXE and used for acquiring/replacing Credentials and Password § This DLL is used by malware like wceaux. dll. Malware uses these functions~!! Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis Logon Attempt • • Location : Attacker System Artifact : Security Event Log ü Attacker System The event occurs when attempting to logon to another system ID : 552(evt) or 4648(evtx) § A logon was attempted using explicit credentials(using ID/PW). § Information Ø Targeted system name Ø Process information u Process ID, name u Normal case : lsass. exe(to Remote), winlogon. exe(to Local), taskhost. exe(to Local), consent. exe(to Local) u Suspicious case : 0 x 4(system), cscript. exe, svchost. exe(to Remote) Ø There is no information whether logon succeeds or not. ü Attack Automation § Attempting 10 times logon per second through automation Copyright (C) Ahn. Lab, Inc. All rights reserved. Attack Automation~!!
Forensic Analysis NTLM Authentication • • Location : Victim System Artifact : Security Event Log ü Victim System Network Logon through NTLM authentication ID : 540(evt) or 4624(evtx) § Condition § Ø Logon Type : 3 Ø Logon Process : Nt. Lm. Ssp Ø Package Name : NTLM V 2 In Case of XP SP 3, NTLM Information Ø New Logon : Account Name, Domain Ø Network Information : Workstation Name, IP, Port Using NTLM Authentication~!! Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis NTLM Authentication • Real Case : Finding Lateral Movement ü Online Game Company ü The Security Event Log of Compromised DC(Domain Controller) Server 3158244 records ü The filtering result with “Logon Type : 3” keyword(Network Logon) 176006 records ü The filtering result with “NTLM V 2” keyword 2 records § Victim System Performing cross analysis with other artifacts second record includes attack event~!! Copyright (C) Ahn. Lab, Inc. All rights reserved. 18
Forensic Analysis Remote service registration/execution • • Location : Victim System Artifact : Security Event Log ü Service Installation ID : 4697(Not Default) § Information Ø Account Name, Domain Ø Service Name, Service File Name Copyright (C) Ahn. Lab, Inc. All rights reserved. Victim System
Forensic Analysis Remote service registration/execution • • Location : Victim System Artifact : SYSTEM Event Log ü Service Installation ID : 7045 § Information Ø Service Name Ø Service File Name ü Changing Service State ID : 7036 § Information Ø Whether backdoor is executed or not Copyright (C) Ahn. Lab, Inc. All rights reserved. Victim System
Forensic Analysis Remote job schedule registration, execution and deletion • • Location : Victim System Artifact : Task Scheduler Event Log(since win 7) ü ü ü Registering Job schedule ID : 106 § Account Name used to registration § Job Name : Usually “At#” form Starting Job schedule ID : 200 § The path of file executed for job Deleting Job schedule ID : 141 § Account Name used to registration Copyright (C) Ahn. Lab, Inc. All rights reserved. Victim System
Forensic Analysis Remote job schedule registration, execution and deletion • • Location : Victim System Artifact : Tasks Folder ü Creating “At#. job” file under “Tasks” folder ü Changing time information of “Tasks” folder § This occurs by creating “At#. job” file. Ø Last Written Ø Last Accessed Ø MFT Entry Mdofied Copyright (C) Ahn. Lab, Inc. All rights reserved. Victim System
Forensic Analysis Countermeasure for Anti Forensics • Anti Forensic behavior ü • Victim System After installing backdoor, attacker deletes of “Event Log”, job file and backdoor installation file Countermeasure ü Recovering Deleted Event Log § There are event log records in unallocated space, after deleting with “wevtutil cl” Record Carving~!! Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis Countermeasure for Anti Forensics • Recovering Deleted Event Records Back-Tracking~!! Unallocated Space Pass the Hash Record Network Share Header Record Record Copyright (C) Ahn. Lab, Inc. All rights reserved. Footer 24
Forensic Analysis Countermeasure for Anti Forensics • Countermeasure(continue…) ü Victim System Deleting job file § Job file is in $MFT with form of resident file due to the file size( < 870 byte ) Searching within $MFT § “MFT Modified Time” of “Tasks” folder is used to find attack time Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis Countermeasure for Anti Forensics • Countermeasure(continue…) ü Deleting malware file § Analyzing file system log($Log. File, $Usn. Jrnl) § NTFS Log Tracker : https: //sites. google. com/site/forensicnote/ntfs-log-tracker Copyright (C) Ahn. Lab, Inc. All rights reserved. Victim System
Forensic Analysis Forensic Readiness • Event Log ü Audit policy : Turn on all audits ü Changing size of event log ü Remote backup Server § Real-time Backup § The backup server should be excluded in domain. Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis Forensic Readiness • $Log. File, $Usn. Jrnl ü Changing size of log file § $Log. File : chkdsk /L: <size>(KB) Ø Usually 64 M log data is saved for about 3 hours Ø One percent of volume size is recommended. § $Usn. Jrnl : fsutil usn createjournal m=<size>(byte) a=<size>(byte) <volume> Ø Usually 32 M log data is saved for about 1~2 days Ø One percent of volume size is recommended. Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis Summary • Attacker System Behavior Escalation of Privileges Attempting Logon Copyright (C) Ahn. Lab, Inc. All rights reserved. Artifact Detail Prefetch Program Execution Application Compatibility Cache Program Execution Recent. File. Cache. bcf Program Execution wceaux. dll DLL of WCE sekurlsa. dll DLL of Mimitakz Memory String search Security Event Log Attempting Logon to another system with explicit credentials ID : 552(evt) or 4648(evtx)
Forensic Analysis Summary • Victim System Behavior NTLM Authentication Copying Backdoor Remote service registration/execution Copyright (C) Ahn. Lab, Inc. All rights reserved. Artifact Detail Security Event Log Network Logon( ID : 540 or 4624 ) Logon Type : 3 Logon Process : Nt. Lm. Ssp Package Name : NTLM V 2 or NTLM Network Traffic Protocol : SMB 2 Characteristics 1. Session. Setup : NTLMSSP_NEGOTIATE 2. Session. Setup : NTLMSSP_AUTH, Domain, Username 3. Tree. Connect : \<IP or Host Name>IPC$ Security Event Log File Share( ID : 5140 ) Network Traffic Protocol : SMB 2 Characteristics 1. Tree. Connect : \<IP or Host Name><Share Point : C$, D$ … > 2. Create 3. Write Security Event Log Installing Service( ID : 4697 ) System Event Log Installing Service( ID : 7045 ) Changing Service State( ID : 7036 ) Network Traffic Protocol : SVCCTL Characteristics 1. Open. SCManager 2. Create. Service or Open. Service, Start. Service 3. Close. Sevice. Handle
Forensic Analysis Summary • Victim System (continue…) Behavior Remote job schedule registration and execution, deletion Artifact Detail Task Scheduler Event Log Registering Job( ID : 106 ) Starting Job( ID : 200 ) Deleting Job( ID : 141 ) Tasks folder Changing time information of “Tasks” folder by Creating “At#. job” file Network Traffic Protocol : ATSVC Characteristics : Job. Add Remote execution with wmic Security Event Log Creating Process( ID : 4688 ) Wmi. Prv. SE. exe Remote registry registration Software Registry HKLMSOFTWAREMicrosoftWindowsCurrent. VersionRun Network Traffic Protocol : WINREG Characteristics 1. OPENHKLM 2. Create. Key 3. Query. Value 4. Set. Value 5. Close. Key Security Event Log File Share( ID : 5140 ) $ADMIN share Creating Process( ID : 4688 ) PSEXESVC. EXE System Event Log Changing Service State( ID : 7036) starting Ps. Exec service Network Traffic Protocol : SMB 2 Characteristics 1. Tree. Connect : \<IP or Host Name>ADMIN$ 2. Create : PSEXESVC. EXE 3. Create : svcctl 4. Create : Target file Remote execution with psexec Copyright (C) Ahn. Lab, Inc. All rights reserved.
Forensic Analysis Summary • Victim System (continue…) Behavior Remote execution with winrs • Artifact Security Event Log Creating Process( ID : 4688 ) winrshost. exe Network Traffic Protocol : HTTP Characteristics 1. NTLMSSSP_NEGOTIATE : /wsman 2. NTLMSSP_AUTH : Domain, Username Countermeasure for Anti Forensics Behavior Response Detail Deleting Event Log Recovering Event Log Record Carving Deleting Job file Keyword Searching within $MFT Confirming MFT Modified Time of Tasks folder Guessing creation and deletion time of job file Analyzing File System Log($Log. File, $Usn. Jrnl) Using “NTFS Log Tracker” Deleting file • Detail Forensic Readiness Target Event Log $Log. File, $Usn. Jrnl Copyright (C) Ahn. Lab, Inc. All rights reserved. Response Detail Remote Backup Server Real-time backup Backup server not included in domain Setting Audit Policy Turn On all audits Changing size of event log file wevtutil sl Changing size of log file $Log. File chkdsk $Usn. Jrnl fsutil
Case Study
Case Study 1 : Defense Contractor in South Korea Office Network (Not AD Environment) : Back Tracking “This system is compromised. ” From. Mandiant All systems have same local administrator ID/PW… Military Research Institute’s Web Server Watering Hole Attack~!! Drive by Download Copyright (C) Ahn. Lab, Inc. All rights reserved. 34
Case Study 2 : Online Game Company in South Korea Fiddling Server Farm Game (AD Money~!! Office Network (AD Environment) DB DB Recovering Deleted Event Records Using Domain administrator’s Credentials… Opening Malicious Mail Attachment Gateway Server Connected to Office Network Gate Way Analyzing FTP Log File Server Downloading Nvidia Driver Installation Program (Malicious) Private Line Keylogging Copyright (C) Ahn. Lab, Inc. All rights reserved. : Back Tracking Using Domain administrator’s Credentials… 35
Conclusion
Conclusion • • APT Lateral Movement ü Moving laterally to find targeted server in internal network ü Using windows authentication protocol Difficulty of classification ü Necessity of Forensic Analysis Removing Root cause through tracebacking. Forensic Analysis ü Tracing NTLM Authentication ü Finding Malware ü Countermeasure for Anti Forensics ü Forensic Readiness Copyright (C) Ahn. Lab, Inc. All rights reserved.
Thank you.
Q&A blueangel 1275@gmail. com Copyright (C) Ahn. Lab, Inc. All rights reserved.
Reference 1. Mimikatz : http: //blog. gentilkiwi. com/mimikatz 2. WCE : http: //www. ampliasecurity. com/research/wcefaq. html 3. Authenticated Remote Code Execution Methods in Windows : http: //www. scriptjunkie. us/2013/02/authenticated-remote-code-execution-methods-inwindows/ 4. Mitigating Pass-the-Hash (Pt. H) Attacks and Other Credential Theft Techniques : http: //www. microsoft. com/en-us/download/details. aspx? id=36036 5. Trust Technologies : http: //technet. microsoft. com/en-us/library/cc 759554(v=ws. 10). aspx Copyright (C) Ahn. Lab, Inc. All rights reserved.