How to Hunt for Lateral Movement on Your Network

Threat Hunting for
Lateral Movement
Presented by:
Ryan Nolette – Security Technologist
Adam Fuchs – CTO

© 2017 Sqrrl Data, Inc. All rights reserved. 2
Your Presenters
Adam Fuchs
Sqrrl CTO
Ryan Nolette
Sqrrl Security Technologist
2

Agenda
  Lateral Movement Overview
  What is it?
  Common Techniques
  The Lateral Movement Process
  Compromise
  Reconnaissance
  Credential Theft
  The Lateral Movement event
Sqrrl Lateral Movement Detectors
  Demo
  Q&A

  Techniques that enable attackers to
access and control systems within your
network
  Leveraged for:
  Access to speciﬁc information or ﬁles
  Remote execution of tools
  Pivoting to additional systems
  Access to additional credentials
  Movement across a network from one
system to another may be necessary to
achieve goals
  Often key to an attacker’s capabilities and
a piece of a larger set of dependencies
What am I referring to when I say Lateral Movement?

Application Deployment Software
Exploitation of VulnerabilityLogon Scripts
Pass the Hash
Remote Desktop Protocol
Remote File Copy
Remote ServicesReplication Through Removable Media
Shared Webroot
Taint Shared Content
Third-party Software
Windows Admin Shares
Windows Remote Management
Different Types of Lateral Movement

BAD
Patient 0:
original
Infection
Successful
Lateral
Movement
Failed Data access
from compromised
host after lateral
movement
Failed Data access
from Patient 0
Successful
Lateral
Movement
Successful Data access
from compromised host
after lateral movement
Company’s
Customer
Financial
Records
Lateral Movement

Login to new
system
•  psexec - shell
•  RDP – GUI
•  Proﬁt
LateralMovement
Tools
•  Mimikatz
•  Pwdump
•  Generic memory
dump
Goal
•  To gather either
plaintext credential
to use for generic
system
authentication
•  Password hash to
pass to a system in
place of a password
•  Ultimately elevate
your privileges from
the current
compromised user
to an administrative
user
CredentialTheft
Human Attacker
starts running
system
commands to
gather
intelligence
Examples of recon:
•  Network
•  netstat – see active
network
connections
•  Nmap – network
scanner
•  Net use – access to
resources
•  System
•  Net user – manage
local/domain
accounts
•  Task list – what
processes are
running on system
Reconnaissance
Stages
•  Infected system
checks in with
command and
control server/s
•  Human Attacker
gives command to
infected system to
allow access
•  remote shell
•  GUI interface
options
•  Human attacker
starts
reconnaissance
Compromise
Infection to Lateral Movement Process
Infection
Techniques
•  Phishing email
•  Drive by
•  Exploit kit
•  Flash drive
Infection
Rinse and Repeat for each system as needed or wanted

  Communication with the
compromised systems and C&C
(command and control) servers
is established
  Threat actors need to sustain
persistent access across the
network
  They move laterally within the
network and gain higher
privileges through the use of
different tools
Windows
Reverse
Shell

Compromise

  To move laterally within a breached
network and maintain persistence,
attackers obtain information like
network hierarchy, services used in
the servers and operating systems
  Attackers check the host naming
conventions to easily identify
speciﬁc assets to target
  Attackers utilize this info to map the
network and acquire intelligence
about their next move
Recon Local Accounts
Recon Domain Accounts
Reconnaissance

  Once threat actors identify other
“territories” they need to access, the next
step is to gather login credentials
  Cracking and Stealing Passwords
  Pass the Hash: involves the use of a
hash instead of a plaintext password
in order to authenticate and gain
higher access
  Brute force attack: simply guessing
passwords through a predeﬁned set
of passwords
  Using gathered information, threat actors
move to new territories within the network
and widen their control
Running Mimikatz in memory via powershell
Credential Theft
  These activities are often unnoticed by IT
administrators, since they only check
failed logins without tracking the
successful ones

  Attackers can now remotely access
desktops
  Accessing desktops in this manner is not
unusual for IT support staff
  Remote access will therefore not be readily
associated with an ongoing attack
  Attackers may also gather domain
credentials to log into systems, servers,
and switches
  Remote control tools enable attackers to
access other desktops in the network and
perform actions like executing programs,
scheduling tasks, and managing data
collection on other systems
Lateral Movement – Using Stolen Credentials
  Tools and techniques used for this
purpose include remote desktop tools,
PsExec, and Windows Management
Instrumentation (WMI)
  Note that these tools are not the only
mechanisms used by threat actors in
lateral movement

https://xkcd.com/1831/

DETECTING LATERAL
MOVEMENT WITH DATA
SCIENCE

  LM evidence comes from:
  Windows Events
  Syslog
  VPN
  Endpoint sensors
  Primary ﬁelds:
  Source
  Destination
  User
  Time
  Extra Information:
Data

Target Speciﬁc Techniques
•  e.g. Pass The Hash detection
•  Very speciﬁc means low false positives
•  May miss new techniques
Search for General Graph Patterns
•  Hard to hide from
•  May pick up unrelated similar patterns
Specialized Generic
Abstraction Spectrum Trade-Off

(3)
Rarely-‐Seen
Logins

(4)
Fan-‐outs,
including
failed
logins

(2) Overall Timeframe in expected range
(1) Expected Inter-login
Time Distribution
(5) Not too big,
Not too small
LM Graph Pattern Characteristics

Lateral Movement Strategy
  Rank individual logins
  Train: learn common user login patterns from the data
  Predict: assign rank (logLikelihoodRatio) to every login. Rank high those that are
unusual
  Construct time-ordered connected sequences of logins
  Predict: ﬁnd top N sequences of logins with the highest combined rank

  Used to determine base risk for logins
  Extensible feature vectors mix numerical,
categorical, and text features
TDigests for numerical
  Bag of words for text
Vectorized categorical statistics
  Learns “normal” in-situ
  Priors out-of-the-box
  Every network is different
  Scalable spark implementations
Generalized “Rarity” Classiﬁer

Multi-Hop Predict
192.168.1.101
192.168.1.104

192.168.1.78
192.168.1.83

Multi-Hop Predict: Combinatorics
  General Problem: Subgraph Isomorphism
  5 edges è 25 = 32 subgraphs
  10 edges è 210 = 1024 subgraphs
  20 edges è 220 = 1,048,576 subgraphs
  We run with billions of edges...
  Solution: grow small subgraphs in parallel
  Prune early and often
Aglomerative clustering
  Message passing
192.168.1.101
192.168.1.104

192.168.1.78
192.168.1.83

Multi-Hop Predict: Message Passing

Scalable Implementation
  Large scale, parallel implementation
  Multiple Independent Variable Bayesian
Classiﬁer (MIVB)
  Spark extension for graph processing
  High performance message passing
implementation
  Used for agglomerative clustering /
detection of LM structures

Processing Workflow
Sqrrl Auth/Login
Sources
Spark / GraphX
Classiﬁer
Training
Single-Hop
Predict
Multi-Hop
Predict
Evidence Tables
Sqrrl CounterOps
Model
Trained
Classiﬁer

False Positive Reduction
1.  Rank:
2.  Normalize:
•  Smooth out discontinuities in ranking function
•  Apply historical context to determine probability of seeing a given rank
•  Convert to risk score based on likelihood * impact
3.  Threshold:
•  Analysts usually care about LMs over risk X
Base risk factor Time risk factor Size risk factor

Building the LM Detector
TTP Alignment
Threat Hunters
Behavior and
Structural
Decomposition
High-Risk Classiﬁer
(Subgraphs)
Data Scientists
Log-Likelihood
Ranking
Normality Classiﬁer
(MIVB)
Scalable Implementation
(Spark, GraphX)
Computer Scientists
Deployable Workflow
with In-Situ Training
Rank Statistics
Normalization
Security Analyst
Contextual Exploration
and Visualization

REAL WORLD
THREAT HUNTING FOR
LATERAL MOVEMENT

Lateral Movement

Thank you!
threathunting.org
For hunting eCourses, papers and
other resources
&
threathunting.net
For a repository of hunting techniques

How to Hunt for Lateral Movement on Your Network

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to How to Hunt for Lateral Movement on Your Network (20)

More from Sqrrl (20)

Recently uploaded (20)

How to Hunt for Lateral Movement on Your Network