Hunting Attacker Activities – Methods for Discovering and Detecting Lateral Movements

When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. In incident investigations, it is important to examine what actually happened during lateral movement through log analysis and forensic investigation of infected hosts. However, in many cases, there may not be sufficient logs left on the host, which makes it difficult to reveal what attackers did on the network.
Therefore, we investigated attackers’ activities after network intrusion by investigating C2 servers and decoding the malware communication. As a result, we found that there are some common patterns in lateral movement methods and tools that are often used.
In addition, we analyzed the tools and Windows commands and investigated the logs recorded on the host upon execution. As a result, it was revealed that the tools’ execution logs are not recorded with the Windows default settings.

This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. We will also demonstrate how to investigate or detect incidents where such tools and commands are used.


Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware analysis and technical findings on JPCERT/CC’s Blog (http://blog.jpcert.or.jp/). Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, PacSec and FIRST Conference.
Keisuke Muda is an analyst of the Security Operation Center at Internet Initiative Japan Inc. (IIJ), an Internet service provider company in Japan. As a member of IIJ SOC, he analyzes logs sent from various devices installed at IIJ SOC customers’ networks. He also researches and investigates vulnerabilities on software, and when a critical security hole was discovered, he analyzes and summarizes them to share with IIJ customers to ensure their security. Before becoming an analyst, he was working on the system integration. With the background, he also takes roles on enhancing IIJ SOC services and its infrastructures.

Print Friendly, PDF & Email