Lateral Movement

RDP:

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials - if NLA enabled on destination

4624 - Logon 4672 - Logon Admin 4778/4779 - IP address source/ system & username

RDPClient-Operational

1024 - Destination Hostname 1102 - Destination IP Address

RemoteConnectionManager-Operational

1149 - Source IP/ Logon username (Blank username may indicate sticky keys)

RemoteDesktopServices-RdpCore-Operational

131 - Connection attempts - source IP 98 - Successful connection

TermainalServices-LocalSessionManager-Operational

21,22,25 - Source IP/ Logon Name 41 - Logon user name

Registry

NTUser\Software\Microsoft\Terminal Server Client\Servers ShimCache: mstsc.exe (SYSTEM) Bam/DAM: (SYSTEM) Last time executed AmCache.hve - First time executed UserAssist - NTUSER.dat: mstsc.exe - last time and number of times executed RecentApps - NTUSER.dat: mstsc.exe - last time and number of times executed

Shimcache - (SYSTEM) - rdclip.exe, tstheme.exe Amcache.hve - First time executed - rdclip.exe, tstheme.exe

FileSystem

Jumplists - AutomaticDestinations\{MSTSC-APPID} - Connection destination and times Prefetch - mstsc.exe-{hash}.pf bitmap Cache: AppData\Local\Microsoft\Terminal Server Client\Cache: bcache##.bmc & cache####.bin

Prefetch - rdpclip.exe / tstheme.exe

Share Drive:

net use z: \\host\C$ /user:domain\username <password>

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials

4624 - Logon 4672 - Logon Admin 4776 - IP address source/ system & username 4768 - TGT Granted - source hostname/logon username (only on DC) 4769 - Service Ticket Granted (only on DC) 5140 - Share Access 5145 - Auditing of Shared Files

SMBClient-Security

31001- failed logon to Destination

Registry

NTUSER\Software\Microsoft\Explorer\MountPoints2 Shellbags - USRCLASS.dat - remote folder accessed ShimCache: net.exe & net1.exe (SYSTEM) Bam/DAM: (NTUSER.dat) net.exe & net1.exe (SYSTEM) AmCache.hve - First time executed

FileSystem

Prefetch - net.exe-{hash}.pf, net1.exe-{hash}.pf

Remote Service control:

sc \\host create servicename binpath=C:\temp\Evil.ex sc \\host start servicename

Artifact Location
Host
Target

Security EVTX

4624 - Logon 4697 - Service Install

System EVTX

7034 - Service crashed unexpectedly 7035 - Service sent start/stop 7040 - Start type change 7045 - Service was installed

Registry

shimCache - sc.exe BAM/DAM - Last time executed Amcache- First time executed

SYSTEM\CurrentControlSet\Services - new service creation ShimCache: evil.exe (SYSTEM) AmCache.hve - First time executed

FileSystem

Prefetch - sc.exe-{hash}.pf

Remote scheduled task control:

at \\host 13:00 C:\temp\evil.exe schtasks /CREATE /TN taskname /TR C:\evi.exe /sc once /RU "SYSTEM" /ST 13:00 /s host /U user

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials

4624 - Logon 4672 - Logon Admin 4698 - Scheduled task created 4702 - Scheduled task updated 4699 - Scheduled task deleted 4700/4701 - Scheduled task enabled/disabled

Windows-TaskScheduled-Operational

106 - Task created 140 - Task updated 141 - Task Deleted 200/201 - Task executed/completed

Registry

ShimCache: at.exe & schtasks.exe (SYSTEM) Bam/DAM: (NTUSER.dat) at.exe & schtasks.exe (SYSTEM) AmCache.hve - First time executed

Software: Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks & \Tree ShimCache: - SYSTEM - evil.exe AmCache.hve - First time executed

FileSystem

Prefetch - at.exe-{hash}.pf, schtasks.exe-{hash}.pf

File creation Prefetch - exe.exe-{hash}.pf

Remote Registry control:

reg add \\host\HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Data /t REG_SZ /d C:\evil.exe

WMI

Host: wmic.exe -> Target: wmiprvse.exe

wmic /node:host /user:user process call create C:\temp\evil.exe Invoke-WmiMethod - computer host -class Win32_Process -Name create - Argument C:\evil.exe wmic.exe PROCESS CALL CREATE "C:\\Windows\\System32\\rundll32.exe C:\evil.dll"

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials

4624 - Logon 4672 - Logon Admin

WMI-Activity Operational

5857 - Indicates WMIC execution and path of DLL 5860/5861 - Registry of temporary/permanent event consumer

Registry

Shimcache: SYSTEM - wmic.exe BAM/DAM - last time executed amcache - First time executed

shimcache: scrons.exe, mofcomp.exe, wmiprivse.exe, evil.exe amcache: scrons.exe, mofcomp.exe, wmiprivse.exe, evil.exe

Prefect - wmic.exe-{hash}.pf

File Creation - evil.exe & evil.mof (used to manage WMI Repository) Prefetch - scrons.exe-{hash}.pf, mofcomp.exe-{hash}.pf, wmiprivse.exe-{hash}.pf, evil.exe-{hash}.pf changes to C:\Windows\System32\wbem\Repository

PowerShell:

Host: powershell.exe -> Target: wsmprovhost.exe Enter-PSSession -ComputerName host Invoke-Command -ComputerName host -ScriptBlock {Start-Process C:\evil.exe}

Artifact Location
Host
Target

Security EVTX

4648 - credential logon

4624 - Logon (Type 3) 4672 - Logon Admin

WinRM-Operational

6 - WSMan session initialised - Session created, destination host IP/Name - current logged on user 8, 15, 16, 33 - WSMan Session deinitliased

91 - session created 168 - Records authenticating user

Powershell.evtx

400, 403 - ServeRemoteHost - indicates start/end of Remoting session 800 - includes partial script code

PowerShell-Operational

40691, 40692 - records local initiation of PowerShell and user 8193, 8194 - session created 8197 - Session closed

4103, 4104 - Script Block Logging (logs suspicious scripts - Default in PSv5) 53504 - Records the authenticating user

Registry

Shimcache - SYSTEM powershell.exe BAM/DAM - Last time executed Amcache - First Time executed

ShimCache - wsmprovhost.exe SOFTWARE - \Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\ExecutionPolicy AmCache.hve - wsmprovhost.exe

Prefetch - powershell.exe-{hash}.pf Command history - AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_History.txt

prefectch - wsmprovhost.exe-{hash}.pf

PsExec:

psexec,exe \\host -accepteula -d -c C:\temp\evil.exe

Host: psexec.exe -> psexecsvc.exe

Artifact Location
Host
Target

Security EVTX

4648 - Logon specifying alternate credentials - if NLA enabled on destination

4624 - Logon 4672 - Logon Admin 5140 - Share Access ADMIN$

Registry

Software\SysInternals\PsExec\EulaAccepted ShimCache: PsExec.exe (SYSTEM) Bam/DAM: psexec.exe (SYSTEM) - last time exectued AmCache.hve - First time executed

New service creation: SYSTEM\CurrentControlSet\Services\PSEXESVC (can be renamed) ShimCache: SYSTEM - psexesvc.exe AmCache - psexesvc.exe

FileSystem

Prefectch - C:\windows\prefectch File Creation

Prefetch - Psexesvc.exe-{hash}.pf

PreviousRDP ActivityNexthunting

Last updated