Security operations · 7 MIN READ · BRANDON OVERSTREET · DEC 19, 2024 · TAGS: SOC
TL;DR
- This blog is a guide for reviewing event logs and actions to investigate the most common lateral movement tactics used by attackers across your Windows domain
- The techniques outlined in this blog are based on real-world scenarios and observations, and are designed to help you identify and mitigate lateral movement
- These event logs are specific to Windows environments and summarize what to look for when investigating suspected lateral movement events
When an attacker gains access to an environment, they typically don’t stop there. They’ll use privileges or credentials to pivot from system to system using tools, system features, and network protocols to accomplish their malicious objectives. This is what we commonly refer to as lateral movement.
So how do you investigate lateral movement, and specifically in a Windows environment? One of the foremost authoritative sources of information is using Windows event logs. These logs are XML-structured logs that record events on a Windows system that offer a wealth of information for investigating, tracking, and remediating attackers. They can be used to both prove and disprove whether lateral movements are malicious, so it’s important to know how to properly analyze these logs.
To start, there are several investigative questions you can ask when navigating event logs, such as:
- Where did the attackers authenticate from, and what credentials did they use?
- What network protocol or tooling did the attacker use to access the computer system remotely?
- What actions were performed by the attacker on the computer system?
- How often are these credentials used across computer systems in the environment? Where else are they used?
We’ll dive into the specifics of what logs and information to look for in Windows event logs, and what tooling and techniques may map to those event logs to help you learn to answer those questions.
Where are Windows event logs stored?
Windows Event Logs can be found in the directory %SYSTEMROOT%\System32\Winevt\Logs on a Windows computer. Note that %SYSTEMROOT% is an environment variable for the main hard drive, and can vary.
Within this directory, you’ll find dozens of log files, but for this blog, we’ll mainly be focusing on two log files: Security.evtx and System.evtx. Here’s a quick summary of the two:
- Security.evtx logs track security-related events like logon information, token and privileged activity, access to sensitive files, security configurations, and other access and security actions.
- System.evtx logs track the operation and performance of the computer system.
Some security operation centers also forward Windows event logs to a security information event manager (SIEM), which can make acquisition and timeline analysis easier.
Once you locate these logs and identify your starting point, you can start to dig into the techniques attackers use for lateral movement you’ll want to identify during an investigation.
Parsing Windows event logs
You can review event logs using the default Windows event log viewer, however, Expel’s SOC uses some open source tooling to help with timeline analysis. Two tools that we’ve had success with are Plaso and Chainsaw.
Here are the log sources we’d start with to gather lateral movement information, based on common techniques used by attackers. Be aware that these sources aren’t sequential. An attacker may only use one or several, so be sure to check each source thoroughly during every lateral movement investigation.
PowerShell remoting
With PowerShell remoting enabled, Remote PowerShell allows attackers to perform remote command execution and control the target host, which is a common lateral movement technique.
In the Security.evtx log, look for the following event IDs to confirm the source of the PowerShell remoting (and the credentials used):
- 4624 – Logon type 3
- 4672 – Elevated or admin rights granted at logon
- 4688 – New process creation
Additionally, the Microsoft-Windows-Powershell%4Operational.evtx logs can show additional details associated with PowerShell remoting:
- 4103 – Module logging (log shows pipeline execution details of PowerShell)
- 4104 – Script block logging (log captures the contents of the script, but not the output)
- 53504 – PowerShell named pipe IRC (log records authenticating account)
Windows Powershell event logs in Windows PowerShell.evtx is a subset in the security event log folder, and can highlight additional PowerShell remoting movements, including:
- 400/403 – Start and end of remote session
- 800 – Pipeline execution information of commands executed by PowerShell (log also includes partial script code)
Windows Remote Management (WinRM) connection logs can also provide evidence of PowerShell remoting usage for lateral movement. This log is located at Microsoft‐Windows‐WinRM%4Operational and you’ll want to look for:
- 91 – Session creation (log records account used to authenticate the connection)
- 168 – Log records authenticating account
PsExec
PsExec is a utility developed by SysInternals that’s used for remote command execution. When executed on a target machine, PsExec installs itself as a service and the psexesvc.exe will execute and write to the C:\Windows folder. Child processes of psexesvc.exe will contain the remote command execution.
We’ve seen attackers historically use PsExec to perform remote reconnaissance, remote discovery commands, and remotely execute binaries.
Some helpful logs to look for around the timeframe of psexesvc.exe execution on the target machine would be:
- 4624 – Logon type 3
- This contains the source of authentication and credentials used to connect to the target computer. The type 3 logon helps narrow down authentications to those that occurred over the network and are non-interactive. Non-interactive authentications are key here, as they indicate a user or process accessed a shared resource over the network without actively logging into the system—otherwise known as lateral movement.
- 4648 – Account logon attempted using explicit credentials
- This event is logged when a process logs on using explicit credentials, rather than the current user’s credentials. One of the most common scenarios involves attackers executing processes with elevated privileges.
- 4672 – Elevated or admin rights granted at logon
- 5140 – Network share object accessed (not enabled by default)
- This event log provides insights into the account, source IP address, and the share accessed. The log is helpful for monitoring and auditing access to network shares.
- 4688 – Process execution events
- You can track child processes of psexesvc.exe by using the process ID (PID), and also look for anomalous process execution events by the suspected user.
Additionally, you can use the System.evtx file to check for the service installation event for PsExec.
- 7045 – Service installed
- This log indicates that a remote service was created. Checking for psexesvc.exe or the randomly generated eight-character Impacket alternative can be the ticket to identifying PsExec lateral movement.
Note that this same methodology can be applied to the weaponized Impacket PsExec utility with differences to the service’s binary name.
Remote desktop protocol (RDP)
Remote desktop protocol (RDP) is a Microsoft protocol that uses encrypted communication channels between two computers, allowing for remote interactive access. It’s often used by IT teams, and users to have an interactive (or GUI) session spun up on their machines as needed. It’s also easily leveraged by attackers with credentials.
To investigate and confirm RDP lateral movement, you can anchor on these event IDs in Security.evtx:
- 4624 – Logon type 10
- Tip: Filter by type 10s and known credentials to ensure you’re zeroing in on remote interactive sessions that are part of the investigation.
- 4778 – Reconnected terminal session
- 4779 – Terminal session disconnection
There are also other RDP-specific event logs you can review to confirm the RDP session details:
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational:
- 131 – Connection attempts highlighting the source IP address
- 98 – Successful RDP connection
Microsoft-Windows-Terminal Services-RemoteConnection Manager%4Operational:
- 1149 – Successful RDP logon attempt
- Note that this means the RDP network session was successful, but doesn’t indicate a successful logon. This can help identify brute-force or network scanning events.
Microsoft-Windows-Terminal Services-LocalSession Manager%4Operational:
- 21 – Session logon succeeded (event will log connected username and session ID number)
- This is a successful RDP authentication and session event, and can be correlated with 4624 Type 10 events.
- 22 – Session start notification
- 25 – Session reconnected
Scheduled tasks (schtasks)
Attackers can use the built-in Windows utility schtasks.exe (or legacy at.exe) to create scheduled tasks remotely that’ll execute commands or binaries on the target computer. Scheduled tasks can be tailored to allow for malicious actions to be executed at intervals on a specific system. We typically confirm and investigate scheduled tasks via Windows event logs using:
- 4624 – Logon type 3
- 4672 – Logon by user with administrator rights
- 4698 – Scheduled task creation
- 4702 – Scheduled task updated
- 4699 – Scheduled task deleted
- 4700 – Scheduled task enabled
- 4701 – Scheduled task disabled
You can also find evidence of schtasks in the %systemroot%\Windows\System32\winevt\Logs\Microsoft-Windows-Task Scheduler%4Operational task event log:
- 106 – Scheduled task created
- 140 – Scheduled task updated
- 141 – Scheduled task deleted
- 200 – Scheduled task executed
- 201 – Scheduled task completed
Services (remote)
Attackers can use Windows’ built-in service command line utility sc.exe to create, start, and stop services locally or remotely. Typically, we’d expect attackers to use sc.exe to execute backdoor service binaries or utilities on remote systems. You’ll see these in both security and system event logs if they’re reviewed during your investigation.
Security.evtx:
- 4624 – Logon type 3
- 4697 – Service installed
System.evtx:
- 7045 – Service installed
- 7035 – Start or Stop control service sent
- 7036 – Service started or stopped
- 7034 – Service crashed
- 7040 – Service start type changed
Server message block (SMB): Network shares
Network shares can be remotely accessed by attackers via SMB to stage their files, escalate their privileges, and continue their operations while in an environment. Common sensitive network shares include ADMIN$ and C$. If our SOC analysts suspect lateral movement via network shares, we’ll look for the following logs in Security.evtx:
- 4624 – Logon type 3
- 4672 – Elevated or admin rights granted at logon
- 4634/4647 – Account logoff
- 4648 – Account logon attempted using explicit credentials
- 5140 – Network share object accessed (log not enabled by default)
- This event log provides information on the account, source IP address, and the share accessed. It logs the first access attempt during the logon session.
- 5145 – Network share object was checked to determine if the client can be granted the desired permissions
- 5142 – New network share object added
Remediation actions
During your incident investigation, if you believe the activity you’re seeing isn’t authorized, you’ll want to use the recorded information to remediate suspected attacker activity in your environment by:
- Immediatley containing the source of lateral movement. If it’s from an unmanaged device, install an EDR sensor on it, or disable the network interface card (NIC).
- Contain the target or remote system the attacker moved laterally into as well.
- Delete any Windows executables or artifacts that were deployed by the attacker, and revert any system security changes or configurations.
- Disable any active directory or local account, and then reset the associated credentials.
We hope this pocket guide is a helpful consolidation of reference material on Windows logs you can find across the internet from a litany of sources. Questions about the specifics of this blog, or looking for more resources? Get in touch.
