lateralmovement   8

Lateral Movement Using WinRM and WMI
“winrm get config” or “winrm quickconfig.”
cscript winrm.vbs invoke create wmicimv2/win32_process ... The “-r” switch (1) signifies the WinRM Invoke statement is being executed on a remote host specified at the “HTTPS” address. This is significant because if we look at the host this command was executed from, we won’t find evidence of what happened after this command. To get visibility from here, we’d need to jump over to the remote host and observe what happened. The “-a” (2) and “-c” (3) switches signify the attacker authenticated to the remote host using a certificate identified by the specified thumbprint.

Notepad spawned as a child process of “wmiprvse.exe,” a binary whose function allows WMI to interface with the rest of the Windows operating system. Our WinRM command simply submitted an operation to WMI, and WMI used its own interfaces to execute that operation and spawn a process.

we’ve observed lateral movement used with vssadmin during ransomware attacks.

need to monitor processes spawning from “wmiprvse.exe” and suspicious network connections to “svchost.
monitoring WMI... gets noisy, and you’ll need to establish a baseline of what looks normal in your environment

establishing a jumpbox that is only used for remote administration functions.
client computers in the organization should not trust one another, and they should only trust the jumpbox system
winrm set winrm/config/client '@{TrustedHosts="JumpBox1,JumpBox2"}'
lateralmovement  redcanary  threathunting  winrm  wmi  certificates  jumpbox  segmentation 
8 weeks ago by bwiese
JPCERT Studies/Research
Detecting Lateral Movement through Tracking Event Logs
jpcert  cybersecurity  lateralmovement 
february 2018 by bwiese
What Event Logs Part 2 Lateral Movement without Event Logs - YouTube
use Bro smb logs? other network traffic for "lateral movement" detection???
lateralmovement  eventlogs  cybersecurity  video  towatch 
february 2018 by bwiese
Lateral Movement - lateral-movement-phreaknik-2016
LATERAL MOVEMENT - How attackers quietly transverse your Networks - PhreakNIC20
security  pdf  slides  exploitation  lateralmovement  powershell  PhreakNIC20 
december 2016 by soviet

related tags

analytics  cert  certificates  cybersecurity  domain  eventlogs  events  exploitation  fitness  hacking  jpcert  jumpbox  pdf  phreaknic20  powershell  redcanary  redteaming  security  segmentation  sigma  slides  threathunting  towatch  training  video  windows  winrm  wmi 

Copy this bookmark: