How to Defend Against Lateral Movement in Windows With OSSEC
You may have started to see greater usage of the term “lateral movement” with regards to cyber attacks. Long a directional and network traffic term, lateral movement now commonly means unauthorized connection and sharing of files between two or more internal endpoints. While an initial breach usually comes from the outside, lateral movement occurs when your system is unable to prevent employees or network access points from exchanging infected files or malicious instructions.
The network traffic terms “north-south” and “east-west” can also be applied here. In the context of an attack, north-south traffic is where an outside entity drops something down into your environment, or an attacker already in the network uploads something to an externally managed cloud. After an initial north-south breach, attackers seek to move east-west to gain greater access and visibility. This is where lateral movement comes in – a secondary, more dangerous, and intimate exploitation.
So much attention is spent on “attack surface,” perimeter defense, and perimeter detection (though still not enough) that proper defense-in-depth techniques such as host hardening and inside-the-perimeter detection, i.e., lateral movement, lag behind other areas of focus. For this reason, many CISOs and SOC stakeholders are trying to implement ways to make sure things don’t spread on the inside. And no better illustration of this failure is in the recent SolarWinds hack, which we will touch on later in this article.
I recently had a chance to speak with a panel of people on the topic of lateral movement as it pertains to Windows and open source security environments. The presentation, “Detecting Lateral Movement in Windows With OSSEC,” was hosted by myself and Scott Shinn (Lead Maintainer of the OSSEC Project), and starred a virtual roomful of current or future Windows security administrators.
Lateral Movement in Microsoft Windows
After hearing so much about lateral movement, I decided to see for myself how these techniques worked and what sorts of artifacts they produce that could be used to improve or inform internal detection tools. Last month, I set up my own test lab system and traced some lateral movement attacks using OSSEC.
The Test: There are several legacy and “on-by-default” connection methods that Microsoft still supports, and these connections must be protected from being used as lateral vectors with which adversaries move around and get deeper for bigger opportunities.
A couple of widely reported Windows attack vectors I delved into were Remote Desktop Protocol, Windows Administrative shares, and Living-off-the-Land Binaries, or LOLBINs.
- Remote Desktop Protocol or RDP is a solution installed on desktops and servers that allows user stations to directly connect to, view, and interact with the remote desktop. It is primarily a Windows technology, but it can be installed on Apple, Linux, and other operating systems. Failure to adequately secure RDP can allow it to serve as a gateway for man-in-the-middle attacks, infection, or ransomware, resulting in service disruption. RDP ports that are misconfigured or left open often are the breach point, and these types of P2P2P attacks continue to rise.
- Administrative shares are hidden network shares created by every version of Windows since Windows NT (C$, IPC$, ADMIN$, etc.). These shares allow system administrators to have remote access to every disk volume on a network-connected system. The shares may not be permanently deleted but may be disabled. Administrative shares cannot be accessed by users without administrative privileges. After they have captured various credentials using password-harvesting attacks such as pass-the-hash and pass-the-ticket, attackers can potentially infiltrate your systems to move east-west and north-south with impunity and into the enterprise jewels to steal or destroy using malware…provided they are not detected.
- LOLBINs are Microsoft built-in tools that can be used against your network. They are generally used in administrative contexts or are used for troubleshooting or scripting. The most powerful of these is Powershell, but there are plenty of other, more constrained programs that can perform actions very useful to an attacker, such as:
* Msiexec.exe – download and install a remote file
* Net.exe – map shares and move files
* Regsvr32.exe – register payloads as legitimate dlls
* Schtasks.exe – create or modify scheduled tasks locally or remotely
The outcome: I tested these techniques and others without any installed security tools. I wanted to understand how they would work in a completely unprotected environment so that I would be able to know what artifacts (log entries, files, process activity) would result. And the scary thing is, there wasn’t much to see. Until I increased Windows logging capabilities.
Default Windows logging is very insufficient to the security needs of today. However, once I increased logging in areas such as Object Access and Directory Services, I started to see super important events such as:
4698: A scheduled task was created
5140: A network share object was accessed
4688: A new process has been created
Now we had some real artifacts. However, turning on more logging tends to generate more noise. No sane administrator has time to chase down all of these items. That’s where Atomic OSSEC comes in.
Because Atomic OSSEC analyzed not only the log event itself, but the content, context, and adjacency to other events, Atomic OSSEC gave me the ability to effectively monitor a more verbose Windows security logging environment to detect and deter malicious lateral movement.
For example, the event ID 4624 (An account was successfully logged on) on its own happens ALL THE TIME. However, when Atomic OSSEC sees 4624 with the “Logon Type: 3” and “Elevated Token: Yes” and “Logon Process: NTLM,” it then searches for nearby events. If it sees 4776 (The computer attempted to validate the credentials for an account) and 4672 (Special Privileges assigned to new logon), it is an indicator that someone is attempting to use an admin share. Atomic OSSEC will then flag and alert. This type of ML-based filtering saves time and effort in searching for real threats.
SolarWinds “SUNBURST” Lateral Movement Techniques
When the Solarwinds news broke, I was already deep into my testing. So I looked for discussions of attacker techniques that I might use to test whether Atomic OSSEC’s ML-based approach would have detected the attack, and I found this amazing article from Volexity. From this, I pulled three different attacks that were used during Sunburst to move laterally.
- Powershell Scriptlet to instantiate remote scheduled task
I modified the script from the slides as it did not have the correct context and would not run on its own:
$scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME); $folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionPlatform”); $task = $folder.GetTask(“EventCacheManager”);$definition = $task.Definition; $definition.Settings.ExecutionTimeLimit = “PT0S”; $folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5); echo “Done”
When executed, this command triggered EventID 4702: A scheduled task was updated. As we discussed above, this was easily caught and flagged by Atomic OSSEC. Scheduled tasks are not created often in a Windows environment, especially on systems that are under strong configuration control. This was a surprising find – this should have been caught.
Powershell Remote Copy using ADMIN c$ shares
Lateral movement doesn’t just mean control, it also means data and tools. In this example, we seek to leverage stolen admin credentials from one system to another so we can later make a scheduled task for it. We will use admin shares to accomplish this task.
This command resulted in 5140: A network share object was accessed. Now this is probably a very common occurrence in Windows logs that have this Object Access class enabled. However, there is a very important piece of information that tells us that THIS occurrence is NOT common and should be investigated.
If we look at the “Share Name:” information, it tells us that this particular object used the C$ share. This should almost never happen. Thankfully an Atomic OSSEC rule that looks for this specific behavior would flag and alert you to what might be going on in your network.
Using CMD /C to create a scheduled task
This attack generated an interesting pattern of event logs (again, many of these are NOT visible by default!):
4624 Logon with Logon Type: 3 and Elevated Token: Yes
4627 Group Membership check
4673 Privileged service called (svchost.exe..not very helpful)
4698 Scheduled task created
4634 Logoff – a logon session was destroyed. (This was interesting.)
Not only do we have a scheduled task created, we have one surrounded by interesting events 4624 with our Elevated Token, and a 4634 that I am looking to explore further. Again, Atomic OSSEC picks up not only the event log entry, but the contents (the flags and fields) and the context (the related events).
Atomic OSSEC can stop this malicious lateral movement based on ML generated rules, but also enables you to analyze logs, leverage Global Threat Intelligence, and drill into data and patterns for more strategic security as part of DevSecOps, where security is not an afterthought in business computing.
Atomic OSSEC for Defense Against Lateral Movement
The security solution provides alerts on the following, letting you know and manage:
- What commands users are executing, and from where
- What (e.g., port) has been left open and where listeners are on the network.
- Where, which region, which port, which network.
- What’s being requested.
- If the log-in attempt is coming in a way that is not acceptable or suspicious.
- If multifactor authentication (MFA) is required for this access.
- Detection and blocking of new threat actors such as Sunburst Backdoor.
- When to raise alarms and activate responses against elevated tokens and event content changes that are a telltale sign of lateral movement. These alarms are based not only on EventID but the event content and the event context of one or more related events.
- When to configure alerts and alarms to initiate active response – we will deal with this in another blog post.
These are all clues to key in on and address, as you try to protect your disassembled workforce.
Atomic OSSEC can do this simply and easily. Instead of installing invasive endpoint agents, Atomic OSSEC’s lightweight agents simply leverage existing logging facilities. Increasing your Windows logging capabilities to give OSSEC greater visibility can be done without significant system load – the Windows log can be set to rotate out older events. OSSEC will capture the events as they come in, process them, and provide you a full audit trail.
Atomic OSSEC empowers you to be knowledgeable and agile enough to stop the hack in its tracks, through leading file integrity monitoring, vulnerability scanning, security automation and by providing the full picture, linking logs to events so you can go in and investigate more thoroughly.
Listen to a replay of the session, “Detecting Lateral Movement in Windows With OSSEC.”