Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
Remote-Exec
command, PTH module, RDP and SHELL
command to remotely execute commands using WMIC.EXE
utility. I will go through these TTPs in the second part.winrm set winrm/config/winrs '@{<Quota>="<Value>"}'
.winrs -r:dc_atlas "ipconfig"
the following telemetry was recorded on the destination:svchost.exe
spawns winrshost.exe
with the parent command line C:\\Windows\\system32\\svchost.exe -k DcomLaunch
winrshost.exe
then invokes cmd.exe
instance and execute the command within its context.winrs.exe
doesn't support persistent sessions so every time you execute a command remotely this behavior repeats itself.svchost.exe
spawns wsmprovhost.exe with the parent command line C:\Windows\system32\svchost.exe -k DcomLaunch
Invoke-Command
& Enter-PSSession
both run commands within the context of wsmprovhost.exe
Invoke-Command
will terminate wsmprovhost.exe
process after receiving the output while the Enter-PSSession
will establish a persistent session.wsmprovhost.exe
C:\Windows\system32\wsmprovhost.exe -Embedding
svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
AUTHORITY\SYSTEM
\PSHost.[%NUMBERS%].[%PID%].DefaultAppDomain.wsmprovhost
wsmprovhost.exe
C:\Windows\System32\svchost.exe
ServerRemoteHost
(Remote PowerSehll Session)C:\Windows\system32\wsmprovhost.exe -Embedding
EID 1
, EID 91
and EID 4656
have much higher event decisiveness than the rest. I will be releasing a Mindmap that groups all this telemetry in one place at the end of this blog post series.jump winrm
command and some first differences in process tree behavior were observed at execution time:jump winrm
command generated the same telemetry as in previous observations except that the beacon runs under the context of a PowerShell instance invoked by wsmprovhost.exe
. This is not something we can normally observe by using winrs
, Invoke-Command
or Enter-PSSession
except if the command invoked powershell.exe
itself then PowerShell cmdlets would produce this behavior."c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
shell
command to interact with the beacon and execute command. The shell
command spawns a cmd.exe
instance from the invoked powershell.exe
process for every executed commandjump winrm
command :Enter-PSSession
, jump winrm64
executes commands within the context of a wsmprovhost.exe
instance. The session is persistent no termination of the wsmprovhost.exe
process was observed..Net API
to call Windows API function in memory using assemblies. The script then allocates some memory and copies the payload in the allocated memory space. The payload was a 64-bits DLL and technique used was DLL Reflective Loading.EID 4104
Script Block Logging:EID 4103
, this event doesn't record the output of the scriptEID 4103
Module Logging:Get-WSManInstance -ComputerName localhost -ResourceURI Shell -Enumerate
lists all currently active remote WinRM sessions and provides useful information :winrm64
CS module used more than twice the memory used by Enter-PSSession
for the same command.367ABB81-9844-35F1-AD32-98F038001003
and uses RPC endpoint \\PIPE\\svcctl
.SVCCTL
and operation CreateServiceWoW64A
EID 5145
A network share object was checked to see whether client can be granted desired access will be generated with Relative Target Name
defined as SVCCTL
and Share Name \*\IPC$
\\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe
. This will generate EID 7045 New Service Was Installed
and EID 4697 A Service Was Installed in the System
\\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe
is executed and it invokes a rundll32.exe
instance with no arguments which is very suspicious.SHELL
command invokes a CMD
instancesvcctl
\*\IPC$
\\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe
\\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe
\\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe
C:\Windows\System32\services.exe
C:\Windows\System32\rundll32.exe
\\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe
\\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].ex
epsexec & psexec64
CreateServiceWOW64A
%COMSPEC%
and powershell
in the Service File Name
field.HostApplication
contains powershell -nop -w hidden -encodedcommand
.status_[0-9a-f]{2}
was also observed. I provided bellow a gist with several regex pattern to detect hard coded named pipes in CobaltStrike modules. Bellow is a EID 5145 that can be used for this purpose but I encourage you to sysmon instead for it high event traceability quality.shell
command would invoke a cmd.exe
instance.psexec_psh
command.status_[0-9a-f]{2}
\*\IPC$
%COMSPEC%
or powershell
%COMSPEC%
or powershell
\\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe
C:\Windows\System32\services.exe
\\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].ex
epowershell, -nop, hidden, -encodedcommand
powershell.exe
cmd.exe
Get-ChilIt
em
PowerShell cmdlets