BACK TO SPEAKERS
When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. For an effective incident response, investigation and detection of the lateral movement phase becomes critical. One of the methods for investigating attacks is to trace logs that remain on the hosts. However, adequate evidence of lateral movement may not be available on Windows with default settings.
While appropriate configurations of the hosts are required for obtaining sufficient evidences, such settings often result in the increased amount of logs that remain on the hosts. Therefore, it becomes necessary to have knowledge about where on the hosts to investigate for evidences. To lead the investigations, we conducted a research on the necessary log configurations to acquire evidence of tool execution in the lateral movement phase, and closely examined the indicators logged on the hosts. Then, we compiled our findings into a report, and published it on a webpage.
This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. The presentation will also introduce techniques to detect or investigate such incidents by using tools such as Audit Policy and Sysmon.
Shusei Tomonaga
JPCERT / CC analysis centre
Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware analysis and technical findings on JPCERT/CC's Blog. Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, Botconf, PacSec and FIRST Conference.Tracking APT Lateral Movement with Audit Policy and Sysmon
When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. For an effective incident response, investigation and detection of the lateral movement phase becomes critical. One of the methods for investigating attacks is to trace logs that remain on the hosts. However, adequate evidence of lateral movement may not be available on Windows with default settings.
While appropriate configurations of the hosts are required for obtaining sufficient evidences, such settings often result in the increased amount of logs that remain on the hosts. Therefore, it becomes necessary to have knowledge about where on the hosts to investigate for evidences. To lead the investigations, we conducted a research on the necessary log configurations to acquire evidence of tool execution in the lateral movement phase, and closely examined the indicators logged on the hosts. Then, we compiled our findings into a report, and published it on a webpage.
This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. The presentation will also introduce techniques to detect or investigate such incidents by using tools such as Audit Policy and Sysmon.