Forensic Artifacts of Lateral Movement and Credential Dumping Tools

By /

Listen to this Post

Featured Image
Source: JPCERT Tool Analysis Result Sheet

This resource documents forensic artifacts left by tools used for lateral movement and credential dumping. Key sections include:

  • Threat Actor Artifacts: File writes, registry changes, USN Journal entries.
  • Event Logs: Sysmon, Security, BITS-Client, etc.
  • Host Activity: Source and destination host traces.
  • Network Traces: Packet capture session flows for some tools.

Despite being slightly dated, the telemetry remains relevant for:
– Threat hunting
– DFIR (Digital Forensics & Incident Response)
– TTP (Tactics, Techniques, Procedures) testing
– Detection rule development

You Should Know:

1. Key Forensic Artifacts to Check

File System Artifacts

  • Check for unusual executables in C:\Windows\Temp\, C:\Users\Public\, or hidden directories.
  • Use `$MFT` (Master File Table) analysis: 
    fls -r -m "C:" \.\C: > mft_analysis.txt

Registry Modifications

  • Look for suspicious registry keys under: 
    reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

USN Journal (Update Sequence Number Journal)

  • Extract changes using: 
    fsutil usn readJournal C: > usn_journal_log.txt

2. Event Log Analysis

Sysmon Logs

  • Filter for suspicious process creations: 
    Get-WinEvent -Path .\Sysmon.evtx -FilterXPath "[System[EventID=1]]" | Where-Object { $_.Message -match "lsass.exe" }

Security Logs (Event ID 4624 & 4625)

  • Check for lateral movement via RDP or SMB: 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625} | Format-List

BITS (Background Intelligent Transfer Service) Logs

  • Detect malicious file transfers: 
    Get-WinEvent -LogName "Microsoft-Windows-Bits-Client/Operational" | Where-Object { $_.Id -eq 59 }

3. Network Forensics

  • Packet Capture Analysis (PCAP): 
    tshark -r attack.pcap -Y "smb2 || rdp" -V
  • Detecting Lateral Movement via SMB: 
    zeek -r traffic.pcap smb_files.log

4. Memory Forensics (Volatility)

  • Check for credential dumping: 
    volatility -f memory.dump --profile=Win10x64_19041 mimikatz
  • Detect process injection: 
    volatility -f memory.dump --profile=Win10x64_19041 psscan

What Undercode Say

Forensic artifact analysis remains critical in detecting post-exploitation activities. Key takeaways:

  • Persistence Checks: Always review `Run` keys, scheduled tasks, and service installations.
  • Log Aggregation: Centralize logs (ELK, Splunk) for faster correlation.
  • Automated Detection: Use Sigma rules or YARA for known TTPs.
  • Memory Forensics: Don’t ignore RAM dumps—Mimikatz and Cobalt Strike leave traces.

Expected Output:

  • A structured forensic report detailing file changes, registry modifications, and suspicious network traffic.
  • Detection rules (Sigma/YARA) for future threat hunting.

Prediction

As attackers evolve, forensic telemetry will shift towards cloud-based artifacts (Azure AD, AWS CloudTrail). Expect more focus on containerized attacks (Kubernetes, Docker) in future DFIR investigations.

URLs:

References:

Reported By: Kostastsale Tool – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: