Detecting Lateral Movement with Windows Event Logs

May 27, 2015

In today's Whiteboard Wednesday, Mike Scutt, Senior Security Consultant at Rapid7, will tell you what Windows event logs you should be paying attention to in order to detect lateral movement on your network. Watch this week's video to learn more.

Video Transcript

Hello everyone, and welcome to this week's Whiteboard Wednesday. I'm Mike Scutt, a senior consultant within Rapid7's Strategic Services Group.

Show more Show less

Today, I'm going to talk to you about using Windows event log sources to detect lateral movement. This is going to follow up to our previous session where we discussed how attackers gain access into your network. Today, we're going to talk about how they move once they've successfully breached a network.

We're going to go over a few common methods of lateral movement, starting with SMB. SMB is a very standard protocol found in almost all Windows environments and is used to allow machines to communicate with each other. SMB is often repurposed by attackers to move laterally because it is trusted, and it's present. And as we go through and look at Windows security event logs, we can find evidence of attacker lateral movement.

Initially, I want to draw your attention to the four common event IDs that we have here as they relate to each different method of lateral movement, and we'll start with event 528. Security event 528 is indicative of a successful logon, and 529 is a failed logon. We also have 4624 and 4625. These relate to Windows NT5 and Windows NT6 operating systems, respectively. In addition to the four common sources we have here, particular to SMB, we would want to take a look at events 552 or 4648 as these are indicative of an attacker attempting to use the runas command or authenticate against a remote host as an alternative user, so privilege escalation.

The next lateral movement technique I want to talk about are scheduled tasks. An attacker is going to use scheduled tasks because those are very common. It's built into Windows. And it allows them to execute code either on the system they're currently on or on a remote system at a predetermined time. Often attackers will go through and move malware to another system using SMB and then uses a remote scheduled task to ensure that it executes when they want it to.

When we're looking for evidence of scheduled tasks, we do want to look for these authentication events as you do have to authenticate in order to schedule that task. But we also want to look for events 602 and 4698 on the respective operating systems as these are indicative of a scheduled task creation. When we see remote scheduled tasks, we want to pay particular attention to unnamed scheduled tasks. Those are going to be scheduled tasks with names like AT1, AT2, etc. And attackers will do that for expediency. They're not going to go through and name the tasks if they can execute something quickly and then delete that scheduled task.

The next method I want to talk to you about is PsExec. PsExec is a very common systems administration tool released by Sysinternals that allows a user to execute code remotely, similar to scheduled task, and can be invoked from the command line by a user. Same authentication events, we're going to need to be able to authenticate as an administrative user on that remote system. But we'll also see additional events in environments where PcExec is not used routinely. We'll be looking for event 601 and 4697 as those are indicative of a service creation. We'll see details within these events indicating that PS Exec was started or whichever service was installed on this system, but pay particular attention to PsExec.

The last method that I'd like to speak about is SSH. This is going to be less common in a Windows environment as, typically, you're going to have a third-party SSH daemon that will have to be installed on the system. That's typically how it's going to be used. And we would expect to see the same authentication events if we were using Active Directory or local Windows accounts to provide the authentication mechanism for SSH. Additionally, we'll be looking within application logs as most third-party SSH daemons will record additional data in those application logs.

This is a brief overview of the methods that can be used to track lateral movement within Windows event logs. There are a number of different sources that we can use, but these will be the most effective and most common.

Thanks for watching this week's Whiteboard Wednesday. Tune in next week. 

Rapid7 Incident Response Services

Speed your investigation and containment: Let Rapid7 handle any (or every) stage of your incident response.

Get More Info