Lateral Movement “Whack-a-Mole”
Win with Network Monitoring
The Cisco Security Incident Response Service team works every day with customers who have either experienced a data breach or have engaged our team to help ensure they are prepared for an incident before it occurs.
Our incident responders recently worked with a client whose organization had been targeted with destructive ransomware attacks. The attack had rendered most of their critical infrastructure, such as domain controllers and email servers, unusable. To make matters more challenging, there was no aggregation of logs from these critical systems to a SIEM or other syslog solution for investigation.
The organization had been subjected to previous attacks and had taken steps to remediate the situation by specifically blocking use of “PSExec”, the popular remote administration tool included with Microsoft SysInternals Suite. Limiting Remote Administration Tool usage and auditing the accounts able to perform remote administration is a popular recommendation for hardening against an attack. Blacklisting each type of remote administration can be much like a high-stakes game of whack-a-mole when it comes to security as tools and tactics change over time.
Forensic review of an affected workstation by our incident response analysts revealed a Windows Prefetch file with a handle to a batch script known to be used to install a malicious service. Prefetch files store a reference to any file the launching program accesses within the first 10 seconds of being run. This reference allows resources to be more quickly located for loading on subsequent restarts of the application. Due to this behavior, Prefetch files can often reveal interesting relationships between malware files and other programs on the system being reviewed. This particular Prefetch file had a name that was particularly inviting for further review since it contained the name of a domain controller for the customer, such as the faked example, “PAEXEC-1234-DomainController_2.exe”.
Of particular interest to our team was whether the Prefetch file located was for the tool “paexec” openly available on the Internet, and what would cause another computer’s name to be part of the executable name on infected systems. PAExec is a Remote Administration Tool available for free download from “hxxtps://www[.]poweradmin[.]com/paexec”.
Many Remote Administration Tools are not malicious on their own. They are used to run remote commands and to remotely install software. Upon download from the maker’s website, the executable was named “paexec.exe”. The binary was found to have identical characteristics to binaries recovered during our investigation. The next step was to discover how the binary naming could be affected by running a test. Using a forensic laptop to create a session with the “paexec” binary on a personal computer with administrative privileges, it was found that “paexec” automatically copies itself to the “ADMIN$” share on the remote machine with the naming convention “PAEXEC-<process ID paexec ran under on originating computer>-name of computer session came from.exe”.
To further illustrate this, refer to Figure 1 below, where “paexec” was run on a machine named “DESKTOP-6APUK92”, with Process ID “7036”, and copied to a computer named “ErikOffice” with IP address “192.168.1.15”. The first attempt at the session in Figure 1 was unsuccessful due to a wrong password, so the name of the binary that failed to copy to “ErikOffice” is highlighted:
The name of the binary on “ErikOffice” was verified to be “PAExec-7036-DESKTOP-6APUK92.exe” on the “Windows\System32” folder by default, and the executable was installed as a service. After running this test, our team was able to conclude the direction and time of lateral movement by the attacker despite a lack of event logs from the machines, or any aggregated logging for network visibility.
Attackers can always come up with another tool or method to bypass endpoint controls. Some battles are best won at the network level. With a Netflow monitoring and alerting system such as Cisco StealthWatch, an organization could configure zones of the network where Remote Administration is allowable, such as from System Administrator jump hosts or workstations, and either block or set alerts for attempted connections from anywhere other than that zone for such activity.
If your organization is facing an attack, or could use additional resources to prepare for an attack, consider reaching out to the experts on our Cisco Security Incident Response Services team.