Detecting Lateral Movement via the Emotet trojan
Red Canary, Carbon Black, and MITRE ATT&CK take a deep dive into Lateral Movement detection. This hands-on webinar demonstrates how applying Lateral Movement detection tactics and techniques can help you find advanced persistent threats (APT) in your environment and improve the efficacy of your security program.
You will learn how to:
- Detect and respond to tactics in the Emotet malware family
- Apply those detection strategies to find APTs in your environment
- Build your detection program with similar repeatable processes
3:36 Presenter Introduction
5:00 Webinar Agenda
5:50 What is Lateral Movement?
8:24 “We are now seeing that 60% of attacks involve Lateral Movement.” -Rick
9:15 Lateral Movement Techniques
10:53 “Across all of these, most of the time it is going to be the usage of legitimate behaviors.” -John
13:00 Examples of Techniques
13:44 “When we talk about Lateral Movement, it is very important to understand that it falls within an ecosystem.” -Tony
14:09 Detection Techniques
15:08 “The cool thing about baselining is that it doesn’t have to be one particular set of systems. It doesn’t have to be one particular technology. It can be any sort of security control that you are implementing in your environment.” -Tony
15:35 “When we remove the background noise, what is left? What only occurs on one or two systems in your environment?” -Tony
16:59 Mitigation Techniques
17:19 “If you maintain smaller segments of the environment, you’re building a smaller surface area for that attacker to spread laterally within.” -Phil
20:15 Case Study: Detecting Emotet
21:31 Carbon Black’s Research & Analysis
23:30 “The attackers are becoming more sophisticated, and they are baking this stuff in. They are starting to use command and control in a traditional sense to change what that footprint on your endpoint is going to do.” -Rick
24:15 Using the ATT&CK Framework
24:35 “The first thing [emotet] is going to do is password stuff into your admin shares.” -Rick
27:45 Strategies for Building Detection
27:57 “Look at the strategic goal of building a detection capability, not just a detection, and look at how that is going to iterate over time.” -Phil
28:25 Emotet Lateral Movement
28:49 “Lateral movement doesn’t just exist in a vacuum. Its behavior only has context when it is associated with other behaviors that are surrounding it.” -Tony
30:57 Emotet Endpoint Behavior
31:11 “The primary thing we look for at Red Canary for emotet is going to be a process that looks like it has been scheduled as a service. It’s going to have a parent process of services.exe. If it’s been copied via Windows Administrative Share, it’s going to have a very specific file path. It is going to be in the Windows System32 or SysWOW64 folders on a file system.” -Tony
33:30 Baselining
37:11 “Something that is very common with emotet and other malware is to use the same hash across multiple systems with different file names.” -Tony
38:07 Visualizing Results
38:30 “By the time we make it to a customer’s environment, we miss the original infection because the original infection may have happened several weeks back, a couple of months back, and all we see is the lateral movement jumping back and forth over and over between endpoints.” -Tony
40:53 Expanding – Applying to Other Threats
41:20 Communication Pathways
41:22: Emotet
41:30 “This is going to push that binary across an SMB channel then it is going to create that service on a remote host.” -Phil
42:00 PsExec
42:45 “The big differentiating activity like this is you’re going to have to see what is immediately before and what is immediately after.” -Tony
43:25 RemCom
43:57 “Neither the starting process RemCom or the RemCom service process on the other side are going to be signed.” -Tony
45:30 Metasploit
45:58 “You can use metasploit to create a service over SMB to do persistence and execution over on a remote endpoint without file copy.” -Tony
48:20 Key Takeaways
51:40 “Do the work one time, apply to many. It’s what the bad guys do and I think we need to do more the same.” -Rick
53:40 Questions and Answers
53:45 Question 1: How does a detection change when an attacker uses at.exe job scheduler?
55:43 “One simple thing you could do is look for everytime that at.exe is executed and then see if that is something that looks normal in your environment.” -John
56:48 Question 2: Is there a specific software package required to do what we are talking about?
56:54 “Not always. Certainly with the use of tools like Carbon Black and others that we leverage through the Red Canary service and the ones I know that MITRE has used can be very useful.” -Phil
57:27 “It is not to say there is any one right answer here. It’s going to be which is the one that gives you as the investigator the information you need to do good in your environment. There are a lot of variables in that equation.” -Phil
58:25 Question 3: How effective is disabling PowerShell VBA macro scripts? How effective would that be to combat emotet?
01:00:09 “As difficult as it sounds to do application whitelisting, I feel like it is going to be easier to do that then to try to block PowerShell in your organization.” -Tony
01:01:47 Question 4: Are you going to be doing more of these?
01:01:50 “Yes! Absolutely. We are aiming to do something along the lines of this on a quarterly basis.” -Phil
01:02:48 Question 5: Any ideas for baselining registry information?
01:03:40 “If you pull this across a long period of time, look for things that are unusual or changing.” -John
01:07:45 Question 6: What other tools are out there?
01:08:00 “Our focus shouldn’t be on the tool or capability centric view of what bad things are. We are instead looking at the behaviors” -Phil