Friday, 28 August 2020

New Trick to Detect Lateral Movement via Network File Shares

Lateral movement via windows file shares is an important technique for an attacker to both move laterally as well as to discover, collect and stage interesting data. As defenders it's important to understand this technique and to be aware of multiple options for detecting the related behaviors.

From a telemetry perspective there are already some well known artifacts that we also discussed previously such as:

A) Windows Security Events 5140 (limited to share name, requested access, source IP and account name) or 5145 (similar to 5140 but includes also file path). Both Events are good to have and tend to be noisy on Servers (but not that noisy on Endpoints or non File Servers and thus worth having them ON). 

B) Network connection telemetry over port 445 which is limited to source and target of the connection (unless Packet Inspection is an option and SMB Signing is disabled).

In this post we will share with you a new simple yet interesting trick that you can enable and use for hunting for files transfer via network file shares and using process file creation telemetry only such as Sysmon EventID 11 (Logs File Creation):

When a user copy a file from machine-A to machine-B this activity is mostly handled by the SMB drivers, which resides in the kernel and thus it's activity (both network and file creation) is illustrated in usermode as coming from the "System" virtual process (always with pid eq to 0x4):

As expected the above action of copying cmd.exe from one machine to another will leave the following key traces on the target machine:

As can be seen above, System is the process that will create the file on the target machine and perform the network connection (SMB traffic).

Another interesting example to confirm this behavior is using remote service execution via PsExec for example:

As can be seen in the figure above, the System virtual process creates the copied service file then this same file is executed (via Service Control). Which can be easily translated into a generic (apply also to other type of remote execution leveraging file shares) hunting query using for example Elastic EQL language that supports sequences based search:

TakeAways:

If you are using tools such as Sysmon to monitor file creation, enable logging for the System process:

 

References:

https://github.com/sbousseaden/Slides/blob/master/Hunting%20MindMaps/PNG/5145.TH.mmap.png

https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Lateral Movement/