Active Directory Lateral Movement Detection: Threat Research Release, November 2021

The Splunk Threat Research Team recently updated the Active Directory Lateral Movement analytic story to help security operations center (SOC) analysts detect adversaries executing these techniques within Windows Active Directory (AD) environments. In this blog post, we’ll describe some of the detection opportunities available to cyber defenders and highlight detections from the analytic story.

Watch the video below where we demonstrate how to simulate Lateral Movement techniques using Metasploit, Impacket and PurpleSharp. We then collect and analyze the resulting telemetry to test our detections using Splunk in a lab environment built with the Attack Range.

Introduction

Lateral Movement techniques enable attackers to expand their access in the network and obtain code execution on remote systems. Threat actors are typically required to perform lateral movement as achieving operational success requires exploring the target network to find the objectives. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.

There are multiple ways of moving laterally in a Windows AD network. In this blog post, we will cover detection opportunities for the techniques that abuse legitimate system administration features. This is a common vector employed by attackers as it allows them to blend in with regular administration tasks.​

The abused features provide network interfaces that, combined with stolen administrative credentials, enable remote code execution. The features in scope are:

Telemetry and Logging

The first step is to gain a good understanding of the telemetry generated by the execution of these techniques. This intelligence can drive our logging requirements as well as content prioritization.

This section aims to provide a high level overview of the most actionable telemetry and data sources defenders can leverage to build detection coverage for lateral movement.

Authentication Events

From an authentication perspective, there are two main scenarios in which lateral movement can occur. These scenarios generate different authentication events on domain controllers as well as the source and target systems. Please note this is not intended to be a complete list.

Authentication logging across all domain endpoints can help us detect and investigate lateral movement attacks.

Using Kerberos

In this scenario, the source of the attack is likely a domain-joined compromised endpoint controlled by an attacker via a malware implant. Kerberos events are logged on the domain controller (Events 4768: “A Kerberos authentication ticket (TGT) was requested” and 4769: “A Kerberos service ticket was requested”) while Network Logon events (Events 4624: “An account was successfully logged on” and 4672: “Special privileges assigned to new logon”) are logged on the target endpoint. In certain scenarios, a 4648: “A logon was attempted using explicit credentials”event will also be logged on the source endpoint.

Using NTLM

In this scenario, the source of the attack may be an attacker owned endpoint. This could occur either through a physical attack or through a SOCKS proxy. An NTLM authentication event is logged on the domain controller (Event 4776: “The computer attempted to validate the credentials for an account”) while Network Logon (Event 4624: An account was successfully logged on” and 4672: “Special privileges assigned to new logon.”) events are logged on the target endpoint. In certain scenarios, a 4648: “A logon was attempted using explicit credentials" event will also be logged on the source endpoint.

Process Creation: Source Host

A common vector available to attackers for moving laterally is to abuse command line administration tools available out of the box on Windows endpoints. Tools like sc.exe, wmic.exe, schtasks.exe, winrs.exe, PowerShell and others, can be abused to interact with remote services and obtain remote code execution.

Process and Command Line logging (Windows Security Event Id 4688, Sysmon, or any CIM compliant EDR technology) across all domain endpoints can help us identify compromised endpoints being used as a pivot to move laterally.

Process Creation: Target Host

The goal of lateral movement is to ultimately obtain code execution on the target endpoint by spawning a malicious process. Abusing the mentioned administrative features introduces an interesting detection opportunity for blue teams: the offending process will be spawned from known parent processes. Looking for suspicious child processes spawned off of this list may uncover lateral movement behavior

Process and Command Line logging (Windows Security Event Id 4688, Sysmon, or any CIM compliant EDR technology) across all domain endpoints can help us identify the targets of lateral movement techniques.

Windows Service and Scheduled Task Creation

Abusing the Service Control Manager and the Task Scheduler for lateral movement involves creating a remote service or scheduled task on victim endpoints. Both events are natively logged by Windows endpoints: Event 7045: “A new service was installed on the system” and Event 4698: “A scheduled task was created”.

Building content leveraging these events can help defenders identify suspicious services and scheduled tasks.

Active Directory Lateral Movement Analytic Story

The update on the analytic story introduced 25 new and 5 modified detections. In this section, we describe some of these analytics.

Native Administration Tools

The operators of the Ryuk ransomware, are known to leverage wmic.exe for lateral movement. NOBELIUM, the actor who carried out the most sophisticated nation-state cyber-attack in history, leveraged PowerShell and WMI as well as schtasks.exe to obtain remote code execution.

With this background, we developed the following analytics to catch adversaries abusing native command line tools for lateral movement.

Randomly Generated Object Names

Tools like Metasploit, Cobalt Strike, Impacket, Crackmapexec and others, will generate random names for the services or tasks they create to move laterally. Looking for randomly generated names provides a good hunting opportunity for defenders.

These hunts do not only apply for lateral movement as adversaries abuse these features across the attack lifecycle including during Execution, Persistence and Privilege Escalation.

Suspicious Service or Schedule Task

Process Relationships : LOLBAS

The LOLBAS (Living Off The Land Binaries and Scripts) project documents every binary that can be used for living off the land techniques. It is a great resource defenders can use for detection engineering use cases.

We focused on the `Execute` LOLBAS category to create the following analytics:

Process Relationships : PowerShell Spawn

With its own ATT&CK technique ID, T1059.001, PowerShell is commonly abused by threat actors to perform a large number of actions. Combining lateral movement techniques with PowerShell one-liners can be an effective vector as demonstrated by APT actors.

Impacket Command Line Parameters

Impacket is a collection of python classes that implement the most common Microsoft network protocols. Cybercrime actors, like ransomware operators, as well as espionage actors, like the Berserk Bear APT group, are known to leverage Impacket for lateral movement.

By default, the Impacket remote code execution scripts (wmiexec.py, smbexec.py, psexec.py, atexec.py, dcomexec.py) leverage administrative shares for output collection and hardcoded parameters for process execution. These can be used as a signature to detect its use.

Administrative shares

Tools like PsExec and others leverage administrative SMB shares (Admin$, IPC$) to stage service binaries. Its uncommon for system administrators to leverage administrative shares

Mass Authentication

Once the right privileges have been obtained in an Active Directory network, adversaries can control any host on the network remotely. In certain scenarios, they may leverage this privilege to authenticate to a large number of hosts in a short period of time to complete an objective. As an example, the leaked Conti playbook instructs its affiliates to stage the ransomware binary across the entire domain by authenticating to all endpoints and running a command to copy it from a network share.

^{Leaked Conti Ransomware Playbook}

Leveraging Kerberos Service Ticket requests (4769), Logon (4624) events we created two hunting analytics that leverage Splunk’s statistical commands to help defenders identify outliers.

Automating with SOAR Playbooks

Almost all of the previously mentioned detections are classified as TTPs. These are considered higher confidence and likewise, should be responded to immediately. The Splunk Threat Research Team therefore recommends following your organization’s standard incident response workflows. Below are a series of playbooks, depending on which detections were triggered and which hosts or identities were potentially compromised that may have useful remediation actions:

The Splunk Threat Research Team also wants to highlight the Risk Notable Playbook Pack released by Philip Royer and Kelby Shelton. You can view the talk they presented at .conf21 that highlights these playbooks here. These are available today, in product, for all Splunk SOAR customers. The implementation guide is available on docs.splunk.com and you can preview any individual playbook within this pack on research.splunk.com.

Learn More

You can find the latest content about security analytic stories on GitHub or our recently launched security content website, research.splunk.com. Splunk Security Essentials also has all these detections now available via push update.

For a full list of security content, check out the release notes on Splunk Docs.

• 3.31
• 3.30.1
• 3.30
• 3.29.0

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Author and Contributors

Credit to author Mauricio Velazco and collaborators Michael Haag, Teoderick Contreras, Lou Stella, Philip Royer, Jose Hernandez, David Dorsey.