Escolar Documentos
Profissional Documentos
Cultura Documentos
AhnLab
Junghoon Oh
Agenda
01 Introduction
04 Case Study
05 Conclusion
Introduction
Introduction
Lateral Movement ?
Accomplishing
Goal of Attack~!!
Initial
Lateral Movement
Breach~!!!
Detecting
Finding Root Tracing Lateral Movement Attack~!!!
Cause~!!!
Administrator
System
Using DomainStealing
Administrator’s
Domain Domain Administrator’s NTLM
R Domain
encrypted
Using Administrator’s
DomainID/PW is saved
Administrator’s
Credentials is saved
Administrator Decrypted ID/PW or NTLM
in Memory(Kerberos.dll,
NTLM Credentials ID/PW
Account
D in Memory(Msv1_0.dll)
Credentials From
Wdigest.dll, Memory
tspkg.dll)
P
Network Share Point
Copy Backdoor
Run Backdoor
DC
DC DC
Copy Backdoor
Run Backdoor
Compromised Normal System
Compromised
System sc, at, wmic, reg, psexec, System
winrs
Escalation of
Privileges
NetworkShare Point
Copy Backdoor
Run Backdoor
Attacker Victim System
System
sc, at, wmic, reg,
psexec, winrs
Anti Forensics
Cain&Abel
Execution~!!
Strings in Memory
Launching WCE~!!
Usually malware saves this dll in it’s resource area and use dll’s export functions.
Using NTLM
Authentication~!!
Performing cross analysis with other artifacts second record includes attack event~!!
• Countermeasure
Recovering Deleted Event Log
There are event log records in unallocated space, after deleting with “wevtutil cl” Record Carving~!!
Back-Tracking~!!
Back-Tracking~!!
Unallocated
Unallocated Space
Space
Pass the Hash
Record
Network Share Header
Record
Record
Record
Record
Record
Record Footer
Record
Disk
Disk
Overwrited
MBR Data
Overwrited
VBR Data
File System
Destruction
VBR Data
Overwrited
Overwrited
VBR Data
Backup VBR
Overwrited
VBR Data
Backup VBR
Copyright (C) AhnLab, Inc. All rights reserved. 34
Forensic Analysis
Forensic Readiness
• Event Log
Remote backup Server
Real-time Backup
The backup server should be excluded in domain.
Drive by Download
Gat
e VPN
Way
Using Domain
administrator’s
Keylogging Credentials…
?
All systems’s password and wall B branch’s Server Farm
paper are changed.
All systems have
same local
administrator ID/PW…
Malware Functions
1. Changing password n
…
i o n ctio
t e
2. Lateral Movement via
n nec onn ion
o
Private
Network share C C &C
C citne
Line
& e
nL
3. Disk Destruction C C ante
A branch’s Server Farm i v o
PCr C C branch’s Server Farm
?
After reset,&system become
C
unbootable…
…
Recovering
Destroyed
Private Line
…
File System
• Forensic Analysis
Malware Execution
Tracing NTLM Authentication
Countermeasure for Anti Forensics
Forensic Readiness
1. Mimikatz : http://blog.gentilkiwi.com/mimikatz
2. WCE : http://www.ampliasecurity.com/research/wcefaq.html
3. Authenticated Remote Code Execution Methods in Windows :
http://www.scriptjunkie.us/2013/02/authenticated-remote-code-execution-methods-in-wind
ows/
4. Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques : http://
www.microsoft.com/en-us/download/details.aspx?id=36036
5. Trust Technologies : http://technet.microsoft.com/en-us/library/cc759554(v=ws.10).aspx