Tony Lambert Phil Hagen Rick McElroy John Wunder

MITRE ATT&CK Deep Dive: Lateral Movement


Detecting Lateral Movement via the Emotet trojan

Red Canary, Carbon Black, and MITRE ATT&CK take a deep dive into Lateral Movement detection. This hands-on webinar demonstrates how applying Lateral Movement detection tactics and techniques can help you find advanced persistent threats (APT) in your environment and improve the efficacy of your security program.

You will learn how to:

  • Detect and respond to tactics in the Emotet malware family
  • Apply those detection strategies to find APTs in your environment
  • Build your detection program with similar repeatable processes

3:36 Presenter Introduction

5:00 Webinar Agenda

5:50 What is Lateral Movement?

8:24 “We are now seeing that 60% of attacks involve Lateral Movement.” -Rick

9:15 Lateral Movement Techniques

10:53 “Across all of these, most of the time it is going to be the usage of legitimate behaviors.”  -John 

13:00 Examples of Techniques

13:44 “When we talk about Lateral Movement, it is very important to understand that it falls within an ecosystem.” -Tony

14:09 Detection Techniques

15:08 “The cool thing about baselining is that it doesn’t have to be one particular set of systems. It doesn’t have to be one particular technology. It can be any sort of security control that you are implementing in your environment.” -Tony

15:35 “When we remove the background noise, what is left? What only occurs on one or two systems in your environment?” -Tony

16:59 Mitigation Techniques

17:19 “If you maintain smaller segments of the environment, you’re building a smaller surface area for that attacker to spread laterally within.” -Phil

20:15 Case Study: Detecting Emotet

21:31 Carbon Black’s Research & Analysis

23:30 “The attackers are becoming more sophisticated, and they are baking this stuff in. They are starting to use command and control in a traditional sense to change what that footprint on your endpoint is going to do.”  -Rick

24:15 Using the ATT&CK Framework

24:35 “The first thing [emotet] is going to do is password stuff into your admin shares.” -Rick 

27:45 Strategies for Building Detection

27:57 “Look at the strategic goal of building a detection capability, not just a detection, and look at how that is going to iterate over time.” -Phil

28:25 Emotet Lateral Movement

28:49 “Lateral movement doesn’t just exist in a vacuum. Its behavior only has context when it is associated with other behaviors that are surrounding it.” -Tony

30:57 Emotet Endpoint Behavior

31:11 “The primary thing we look for at Red Canary for emotet is going to be a process that looks like it has been scheduled as a service. It’s going to have a parent process of services.exe. If it’s been copied via Windows Administrative Share, it’s going to have a very specific file path. It is going to be in the Windows System32 or SysWOW64 folders on a file system.” -Tony

33:30 Baselining 

37:11 “Something that is very common with emotet and other malware is to use the same hash across multiple systems with different file names.” -Tony

38:07 Visualizing Results

38:30 “By the time we make it to a customer’s environment, we miss the original infection because the original infection may have happened several weeks back, a couple of months back, and all we see is the lateral movement jumping back and forth over and over between endpoints.” -Tony

40:53 Expanding – Applying to Other Threats

41:20 Communication Pathways

41:22: Emotet

41:30 “This is going to push that binary across an SMB channel then it is going to create that service on a remote host.” -Phil

42:00 PsExec

42:45 “The big differentiating activity like this is you’re going to have to see what is immediately before and what is immediately after.” -Tony

43:25 RemCom

43:57 “Neither the starting process RemCom or the RemCom service process on the other side are going to be signed.” -Tony

45:30 Metasploit

 45:58 “You can use metasploit to create a service over SMB to do persistence and execution over on a remote endpoint without file copy.”  -Tony

48:20 Key Takeaways

51:40 “Do the work one time, apply to many. It’s what the bad guys do and I think we need to do more the same.” -Rick

53:40 Questions and Answers

53:45 Question 1: How does a detection change when an attacker uses at.exe job scheduler?

55:43 “One simple thing you could do is look for everytime that at.exe is executed and then see if that is something that looks normal in your environment.” -John

56:48 Question 2: Is there a specific software package required to do what we are talking about?

56:54 “Not always. Certainly with the use of tools like Carbon Black and others that we leverage through the Red Canary service and the ones I know that MITRE has used can be very useful.” -Phil

57:27 “It is not to say there is any one right answer here. It’s going to be which is the one that gives you as the investigator the information you need to do good in your environment. There are a lot of variables in that equation.” -Phil

58:25 Question 3: How effective is disabling PowerShell VBA macro scripts? How effective would that be to combat emotet?

01:00:09  “As difficult as it sounds to do application whitelisting, I feel like it is going to be easier to do that then to try to block PowerShell in your organization.” -Tony

01:01:47 Question 4: Are you going to be doing more of these?

01:01:50 “Yes! Absolutely. We are aiming to do something along the lines of this on a quarterly basis.” -Phil

01:02:48 Question 5: Any ideas for baselining registry information?

01:03:40 “If you pull this across a long period of time, look for things that are unusual or changing.” -John

01:07:45 Question 6: What other tools are out there?

01:08:00 “Our focus shouldn’t be on the tool or capability centric view of what bad things are. We are instead looking at the behaviors”  -Phil

Shutting Down Lateral Movement
Lateral Movement with Secure Shell (SSH)
Stopping Emotet Before it Moves Laterally
How an IT Service Provider and Red Canary Stopped a Malware Outbreak