DOCSLIB.ORG

Lateral Movement Detection Using ELK Stack

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Lateral Movement Detection Using ELK Stack Lateral movement detection using ELK stack A Thesis Presented to the Faculty of the Department of Information and Logistics Technology University of Houston In Partial Fulfillment Of the Requirements for the Degree Master of Science Information System Security By Utkarsh Jain May 2018 Lateral movement detection using ELK stack ________________________________ Utkarsh Jain APPROVED: ________________________________ Wm. Arthur Conklin, PhD Committee Chair Associate Professor Information and Logistics Technology ________________________________ Chris Bronk, PhD Assistant Professor Information and Logistics Technology ________________________________ Denise M Kinsey, PhD Assistant Professor Information and Logistics Technology ________________________________ ________________________________ George Zouridakis, PhD Dan Cassler Associate Dean of Research and Graduate Studies Interim Chair, Department of College of Technology Information and Logistics Technology Abstract In recent time, it is becoming increasingly difficult to prevent initial infiltration of a network, making it important to always consider and improve detection of an ongoing incident. Any attacker spends most energy, time and is additionally the most defenseless against detection when the attacker is trying to move laterally from system to system to escalate privileges. This research takes into consideration, majority of tools and techniques used by adversaries to move in a windows-based network laterally. It showcases the execution of these tools and suggests how usage of such tools can be detected using logging. Hence, this research is an attempt at creating a solution which helps in detection of lateral movement happening inside a windows-based network by collecting logs and analyzing them using ELK stack as the logging tool. Table of Contents Contents INTRODUCTION ............................................................................................................................ 1 LATERAL MOVEMENT .................................................................................................................. 3 DIFFERENT TECHNIQUES USED FOR LATERAL MOVEMENT .......................................................... 5 Using Psexec ........................................................................................................................... 5 Exploitation of Remote Services ............................................................................................. 6 Remote desktop protocol ......................................................................................................... 6 Remote registry ....................................................................................................................... 7 Windows Admin Shares........................................................................................................... 7 Windows Remote Management ............................................................................................... 8 PowerShell .............................................................................................................................. 8 Port-scans ............................................................................................................................... 9 WMI......................................................................................................................................... 9 Scheduled tasks ..................................................................................................................... 10 Token stealing ....................................................................................................................... 10 Pass the hash......................................................................................................................... 11 Pass the Ticket ...................................................................................................................... 11 Active directory ..................................................................................................................... 12 Stolen credentials .................................................................................................................. 12 Breached host analysis ......................................................................................................... 13 Network sniffing .................................................................................................................... 13 ARP spoofing ........................................................................................................................ 13 Email pillaging...................................................................................................................... 14 Application Deployment Software ........................................................................................ 14 Distributed Component Object Model .................................................................................. 15 Logon Scripts ........................................................................................................................ 15 Replication Through Removable Media ............................................................................... 16 SSH Hijacking ....................................................................................................................... 16 Taint Shared Content ............................................................................................................ 17 Third-party Software ............................................................................................................. 18 ELK STACK ................................................................................................................................ 19 Technical specification of ELK stack .................................................................................... 23 Data sources supported ..................................................................................................... 23 Data storage capabilities ................................................................................................... 23 Processing capabilities of ELK ......................................................................................... 26 Event management and Visualization capabilities ........................................................... 29 Exposed APIs (Application Programming Interface) ....................................................... 31 Resilience .......................................................................................................................... 32 Implementation and configuring ELK stack ......................................................................... 34 Deployment of ELK .......................................................................................................... 35 Creating New Connectors ................................................................................................. 40 PowerShell Logging .............................................................................................................. 42 Setup of PowerShell Logging in ELK stack ..................................................................... 43 Requirements ................................................................................................................ 43 Installation of Windows Management Framework (WMF) ......................................... 43 Setting up Enhanced PowerShell Logging ................................................................... 45 Ship PowerShell logs to ELK ....................................................................................... 47 Understanding PowerShell logs on ELK .......................................................................... 48 DETECTING LATERAL MOVEMENT ............................................................................................. 49 Test case 1: Using Psexec ..................................................................................................... 50 Test Case 2: PowerShell (Remote Command Execution) ..................................................... 53 Test Case 3: WinRM ............................................................................................................. 55 Test Case 4: WinRS ............................................................................................................... 57 Test Case 5: WMIC (Windows Management Instrumentation Command Line) ................... 60 Test Case 6: wmiexec.vbs ..................................................................................................... 62 Test Case 7: PWDumpX........................................................................................................ 64 Test Case 8: Quarks PwDump .............................................................................................. 66 Test Case 9: WCE ................................................................................................................. 67 Test Case 10: WCE ............................................................................................................... 69 Test Case 11: Golden Ticket (mimikatz) ............................................................................... 71 Test Case 12: Silver Ticket (mimikatz) ................................................................................. 73 Test Case 13: AT Command ................................................................................................
Load more

Recommended publications
  • Interaction Between Web Browsers and Script Engines
    IT 12 058 Examensarbete 45 hp November 2012 Interaction between web browsers and script engines Xiaoyu Zhuang Institutionen för informationsteknologi Department of Information Technology Abstract Interaction between web browser and the script engine Xiaoyu Zhuang Teknisk- naturvetenskaplig fakultet UTH-enheten Web browser plays an important part of internet experience and JavaScript is the most popular programming language as a client side script to build an active and Besöksadress: advance end user experience. The script engine which executes JavaScript needs to Ångströmlaboratoriet Lägerhyddsvägen 1 interact with web browser to get access to its DOM elements and other host objects. Hus 4, Plan 0 Browser from host side needs to initialize the script engine and dispatch script source code to the engine side. Postadress: This thesis studies the interaction between the script engine and its host browser. Box 536 751 21 Uppsala The shell where the engine address to make calls towards outside is called hosting layer. This report mainly discussed what operations could appear in this layer and Telefon: designed testing cases to validate if the browser is robust and reliable regarding 018 – 471 30 03 hosting operations. Telefax: 018 – 471 30 00 Hemsida: http://www.teknat.uu.se/student Handledare: Elena Boris Ämnesgranskare: Justin Pearson Examinator: Lisa Kaati IT 12 058 Tryckt av: Reprocentralen ITC Contents 1. Introduction................................................................................................................................
    [Show full text]
  • Using the Component Object Model Interface
    MQSeries for Windows NT V5R1 IBM Using the Component Object Model Interface SC34-5387-01 MQSeries for Windows NT V5R1 IBM Using the Component Object Model Interface SC34-5387-01 Note! Before using this information and the product it supports, be sure to read the general information under Appendix B, “Notices” on page 151. Second edition (April 1999) This edition applies to MQSeries for Windows NT V5.1 and to any subsequent releases and modifications until otherwise indicated in new editions. Copyright International Business Machines Corporation 1997,1999. All rights reserved. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Contents About this book ..................................... v Who this book is for ................................... v MQSeries publications . vi MQSeries cross-platform publications ....................... vi MQSeries platform-specific publications ...................... ix MQSeries Level 1 product publications ....................... x Softcopy books . x MQSeries information available on the Internet .................. xii Where to find more information about ActiveX ................... xii Summary of changes ................................. xiii Changes for this edition ................................ xiii Chapter 1. Introduction . 1 MQSeries Automation Classes for ActiveX overview ................ 1 Chapter 2. Designing and programming using MQSeries Automation Classes for ActiveX .................................. 3 Designing
    [Show full text]
  • Security Policy Page 1 of 20
    Security Policy Page 1 of 20 Security Policy This security policy contains data to configure services and network security based on the server’s role, as well as data to configure registry and auditing settings. Server: VENGWIN207 Services Service Name Startup Mode Description Issues, manages, and removes X.509 certificates for such applications such as Active Directory Certificate S/MIME and SSL. If the service is stopped, Disabled Services certificates will not be issued. If this service is disabled, any services that explicitly depend on it will fail to start. AD DS Domain Controller service. If this service is stopped, users will be unable to log Active Directory Domain Services Disabled on to the network. If this service is disabled, any services that explicitly depend on it will fail to start. AD FS Web Agent Authentication The AD FS Web Agent Authentication Service Disabled Service validates incoming tokens and cookies. Adobe Acrobat Updater keeps your Adobe Adobe Acrobat Update Service Automatic software up to date. Sends logging messages to the logging database when logging is enabled for the Active Directory Rights Management Services role. If this service is disabled or stopped AdRmsLoggingService Disabled when logging is enabled, logging messages will be stored in local message queues and sent to the logging database when the service is started. Processes application compatibility cache Application Experience Disabled requests for applications as they are launched Provides administrative services for IIS, for example configuration history and Application Pool account mapping. If this Application Host Helper Service Disabled service is stopped, configuration history and locking down files or directories with Application Pool specific Access Control Entries will not work.
    [Show full text]
  • The Component Object Model Specification Version 0.9 October 24, 1995
    http://scottge.wordpress.com The Component Object Model Specification Version 0.9 October 24, 1995 This document contains the specification to the Component Object Model (COM), an architecture and supporting infrastructure for building, using, and evolving component software in a robust manner. This specification contains the standard APIs supported by the COM Library, the standard suites of interfaces supported or used by software written in a COM environment, along with the network protocols used by COM in support of distributed computing. This specification is still in draft form, and thus subject to change. Note: This document is an early release of the final specification. It is meant to specify and accompany software that is still in development. Some of the information in this documentation may be inaccurate or may not be an accurate representation of the functionality of the final specification or software. Microsoft assumes no responsibility for any damages that might occur either directly or indirectly from these inaccuracies. Microsoft may have trademarks, copyrights, patents or pending patent applications, or other intellectual property rights covering subject matter in this document. The furnishing of this document does not give you a license to these trademarks, copyrights, patents, or other intellectual property rights. Copyright ? 1992-95 Microsoft Corporation. All Rights Reserved The Component Object Model Specification The Component Object Model The Component Object Model Specification Draft Version 0.9, October 24, 1995 Microsoft Corporation and Digital Equipment Corporation Copyright ? 1992-95 Microsoft Corporation. Microsoft does not make any representation or warranty regarding the Specification or any product or item developed based on the Specification.
    [Show full text]
  • Programming with Windows Forms
    A P P E N D I X A ■ ■ ■ Programming with Windows Forms Since the release of the .NET platform (circa 2001), the base class libraries have included a particular API named Windows Forms, represented primarily by the System.Windows.Forms.dll assembly. The Windows Forms toolkit provides the types necessary to build desktop graphical user interfaces (GUIs), create custom controls, manage resources (e.g., string tables and icons), and perform other desktop- centric programming tasks. In addition, a separate API named GDI+ (represented by the System.Drawing.dll assembly) provides additional types that allow programmers to generate 2D graphics, interact with networked printers, and manipulate image data. The Windows Forms (and GDI+) APIs remain alive and well within the .NET 4.0 platform, and they will exist within the base class library for quite some time (arguably forever). However, Microsoft has shipped a brand new GUI toolkit called Windows Presentation Foundation (WPF) since the release of .NET 3.0. As you saw in Chapters 27-31, WPF provides a massive amount of horsepower that you can use to build bleeding-edge user interfaces, and it has become the preferred desktop API for today’s .NET graphical user interfaces. The point of this appendix, however, is to provide a tour of the traditional Windows Forms API. One reason it is helpful to understand the original programming model: you can find many existing Windows Forms applications out there that will need to be maintained for some time to come. Also, many desktop GUIs simply might not require the horsepower offered by WPF.
    [Show full text]
  • Improving the Aircraft Design Process Using Web-Based Modeling and Simulation
    Reed. J.;I.. Fdiet7, G. .j. unci AJjeh. ‘-1. ,-I Improving the Aircraft Design Process Using Web-based Modeling and Simulation John A. Reed?, Gregory J. Follenz, and Abdollah A. Afjeht tThe University of Toledo 2801 West Bancroft Street Toledo, Ohio 43606 :NASA John H. Glenn Research Center 2 1000 Brookpark Road Cleveland, Ohio 44135 Keywords: Web-based simulation, aircraft design, distributed simulation, JavaTM,object-oriented ~~ ~ ~ ~~ Supported by the High Performance Computing and Communication Project (HPCCP) at the NASA Glenn Research Center. Page 1 of35 Abstract Designing and developing new aircraft systems is time-consuming and expensive. Computational simulation is a promising means for reducing design cycle times, but requires a flexible software environment capable of integrating advanced multidisciplinary and muitifidelity analysis methods, dynamically managing data across heterogeneous computing platforms, and distributing computationally complex tasks. Web-based simulation, with its emphasis on collaborative composition of simulation models, distributed heterogeneous execution, and dynamic multimedia documentation, has the potential to meet these requirements. This paper outlines the current aircraft design process, highlighting its problems and complexities, and presents our vision of an aircraft design process using Web-based modeling and simulation. Page 2 of 35 1 Introduction Intensive competition in the commercial aviation industry is placing increasing pressure on aircraft manufacturers to reduce the time, cost and risk of product development. To compete effectively in today’s global marketplace, innovative approaches to reducing aircraft design-cycle times are needed. Computational simulation, such as computational fluid dynamics (CFD) and finite element analysis (FEA), has the potential to compress design-cycle times due to the flexibility it provides for rapid and relatively inexpensive evaluation of alternative designs and because it can be used to integrate multidisciplinary analysis earlier in the design process [ 171.
    [Show full text]
  • Directx 11 Extended to the Implementation of Compute Shader
    DirectX 1 DirectX About the Tutorial Microsoft DirectX is considered as a collection of application programming interfaces (APIs) for managing tasks related to multimedia, especially with respect to game programming and video which are designed on Microsoft platforms. Direct3D which is a renowned product of DirectX is also used by other software applications for visualization and graphics tasks such as CAD/CAM engineering. Audience This tutorial has been prepared for developers and programmers in multimedia industry who are interested to pursue their career in DirectX. Prerequisites Before proceeding with this tutorial, it is expected that reader should have knowledge of multimedia, graphics and game programming basics. This includes mathematical foundations as well. Copyright & Disclaimer Copyright 2019 by Tutorials Point (I) Pvt. Ltd. All the content and graphics published in this e-book are the property of Tutorials Point (I) Pvt. Ltd. The user of this e-book is prohibited to reuse, retain, copy, distribute or republish any contents or a part of contents of this e-book in any manner without written consent of the publisher. We strive to update the contents of our website and tutorials as timely and as precisely as possible, however, the contents may contain inaccuracies or errors. Tutorials Point (I) Pvt. Ltd. provides no guarantee regarding the accuracy, timeliness or completeness of our website or its contents including this tutorial. If you discover any errors on our website or in this tutorial, please notify us at [email protected]
    [Show full text]
  • Performance Evaluation of Windows Communication Foundation's
    Master Thesis Software Engineering Thesis no: MSE-2010:09 April 2010 Performance Evaluation of Windows Communication Foundation’s Interoperability Muhammad Hamayun Nadeem Ahmed School of Computing Blekinge Institute of Technology Box 520 SE – 372 25 Ronneby Sweden This thesis is submitted to the School of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the degree of Master of Science in Software Engineering. The thesis is equivalent to 2x20 weeks of full time studies. Contact Information: Author(s): Muhammad Hamayun Address: Älgbacken 8, Läg 185, 372 34 Ronneby, Sweden E-mail: [email protected] Nadeem Ahmed Address: Älgbacken 8, Läg 185, 372 34 Ronneby, Sweden E-mail: [email protected] University advisor(s): Professor Dr. Håkan Grahn School of Computing, Blekinge Institute of Technology, Sweden Examiner: Dr. Tony Gorschek School of Computing, Blekinge Institute of Technology, Sweden School of Computing Internet : www.bth.se Blekinge Institute of Technology Phone : +46 457 38 50 00 Box 520 Fax : +46 457 271 25 SE – 372 25 Ronneby Sweden ii ACKNOWLEDGEMENT We are very grateful to our supervisor Dr. Håkan Grahn for his invaluable time, motivation, feedback, and support throughout in our thesis work. We are also very thankful to Charlie Svahnberg to allow us in Testlab for the experiments. We are very thankful to our families for their love, care, motivation and support, right from the beginning until the end of our thesis work. At last but not the least, we are thankful to our friends and colleagues for their fruitful encouragement and motivation. ABSTRACT Middleware eases the development of distributed applications.
    [Show full text]
  • Choosing the Right Media Paths to Facilitate Hardware Acceleration
    White Paper Fan, Fred Choosing the Right Graphics Platform Application Engineer Media Paths to Intel Corporation Tan, Hui Li Facilitate Graphics Platform Application Engineer Hardware Intel Corporation Acceleration Media Solution for Retail Independent Software Vendors (ISVs) September, 2013 329650-001US Choosing the Right Media Paths to Facilitate Hardware Acceleration Executive Summary This paper provides detailed guidance for choosing the right media- development Application Programming Interfaces (APIs) for different retail usage models and devices on Windows* 7 and Windows* 8 operating systems (OSs). When Independent Software Vendors (ISVs) make decisions on which approach to take for their own media applications, there are five key factors that may influence their decisions: hardware investment, software resource investment, performance, flexibility, and software implementation speed. This paper provides detailed guidance for choosing the right media development APIs for different retail segments, from Entry to Mainstream and High-end. This paper does not include implementation details, but does provide related media references, such as Intel® Media SDK and other media development APIs, to help ISVs develop their media content as the next step. The Intel® Embedded Design Center provides qualified developers with web-based access to technical resources. Access Intel Confidential design materials, step-by-step guidance, application reference solutions, training, Intel’s tool loaner program, and connect with an e-help desk and the
    [Show full text]
  • Getting to Know Arcobjects
    Getting to Know ArcObjects Rob Burke ESRI-Redlands Educational Services Developer Summit 2007 1 • Started as an intern 1990 Tenth User Conference, PS • Teach ESRI classes – Desktop, Geodatabase, ArcObjects, raster, Server • Write training materials • Write books • Review books Developer Summit 2007 2 Surveys • Please fill out a survey Developer Summit 2007 3 Intended audience • Anyone wanting to learn about ArcObjects • ArcObjects basics • For programmers and nonnon--programmersprogrammers • Maybe you know – Some ArcGIS – Some programming • Not language specific Developer Summit 2007 4 Lecture Path Interfaces Diagrams What are & COM Implement ArcObjects Under ESRI The ItInter faces Hood Extend the Applications CASE Tech tools Talk Area Wrap-up Engine Extend the Questions Server Geodatabase Developer Summit 2007 5 Parts store for GIS • Building blocks for ArcGIS software products and yours • The most basic GIS parts are programmable objects Map PitPoint Layer Polygon Developer Summit 2007 6 Parts store for GIS • ArcMap and ArcCatalog are built with ArcObjects • Their most basic parts are programmable GIS objects • UdUsers and programmers interact w ihhbjith the same objects • Everyone uses the same parts, ESRI developers and you Map Point Layer Polygon Developer Summit 2007 7 Pieces to create GIS applications or embed • Technically they are called classes (or components) – Over 3,400 ArcObjects classes – Over 21, 000 properties and methods – Grouped into over 70 logical libraries – (not including ArcGIS Server) • Each class corresponds
    [Show full text]
  • Pro WCF 4: Practical Microsoft SOA Implementation, Second Edition Copyright © 2011 by Nishith Pathak All Rights Reserved
    CYAN YELLOW MAGENTA BLACK PANTONE 123 C BOOKS FOR PROFESSIONALS BY PROFESSIONALS® THE EXPERT’S VOICE® IN .NET Companion eBook Available Pro WCF 4 Pro WCF 4: Practical Microsoft SOA Implementation is a complete guide to Windows Communication Foundation from the SOA perspective, demonstrat- Pro ing why WCF 4 is critical to service-oriented architecture and development. WCF 4 Gain deep insight into the functionality of WCF 4 and the improvements from the .NET 4.0 Framework – learn about service discovery, the routing ser- vice, a new simplified configuration paradigm, and other advanced features. Deepen your mastery of WCF 4 through informative examples that will aid you Nishith Pathak, Author of in understanding and implementing these important additions. Pro WCF: Practical Microsoft Inside, you’ll find coverage of the unified programming model, reliable mes- SOA Implementation saging, security, and the peer-to-peer programming model. You'll also learn Pro how to move your current .NET remoting and web service applications to WCF and how to integrate those applications with WCF 4. This book offers genuine insight into solving real enterprise problems using WCF and .NET 4.0. In Pro WCF 4, learn more about: • New features of WCF with .NET 4.0 • A comprehensive WCF programming model • How queue management and reliable messaging work in WCF • Implementing transaction support in WCF • Making WCF services interoperable with other SOA offerings • Best practices in using WCF effectively • Developing WCF applications with Visual Studio 2010 WCF 4 The release of .NET 4.0 brought a wide range of new functionality to WCF.
    [Show full text]
  • Understanding the Most Common Lateral Movement Attack Tactics
    WHITEPAPER UNDERSTANDING THE MOST COMMON LATERAL MOVEMENT ATTACK TACTICS Protecting against today’s most dangerous lateral movement tactics is increasingly critical, especially with Active Directory (AD) as vulnerable as it is. Attackers use a wide range of strategies to move about undetected, developing their plan of attack within the network. For defenders, having a clear understanding of what to look for is the first step toward more effective AD network protection. Fortunately, frameworks like MITRE ATT&CK and MITRE Shield have provided valuable insight into many of these tactics. THE ATTACK CYCLE FIGURE 1: REPRESENTATION OF A TYPICAL ATTACK CYCLE COMMON AND DAMAGING LATERAL MOVEMENT TACTICS WMI MITRE defines Windows Management Instrumentation (WMI) as “a Windows administration feature that provides a uniform environment for local and remote access to Windows system components.” MITRE notes that “it relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS)] for remote access.” An attacker looking to interact with both local and remote systems can use WMI to perform functions that include information gathering and remote file execution. REMOTE SERVICE CREATION Attackers can execute a binary, command, or script via a method that interacts with Windows services (such as the Service Control Manager) to create a new service to execute code remotely and move laterally across the environment or maintain persistence using the Windows sc.exe utility. Attackers first copy the file to the remote system, then create and start the service using Remote Procedural Calls (RPC), Windows Management Instrumentation (WMI), or PsExec.
    [Show full text]