Loading…
Botconf 2017 has ended
View analytic
Friday, December 8 • 12:30 - 13:00
Hunting Attacker Activities - Methods for Discovering, Detecting Lateral Movements

Log in to save this to your schedule and see who's attending!

Feedback form is now closed.
When attackers intrude into a network by APT attack, malware infection spreads to many hosts and servers. In incident investigations, it is important to examine what actually happened during lateral movement through log analysis and forensic investigation of infected hosts. However, in many cases, there may not be sufficient logs left on the host, which makes it difficult to reveal what attackers did on the network.
Therefore, we investigated attackers’ activities after network intrusion by investigating C2 servers and decoding the malware communication. As a result, we found that there are some common patterns in lateral movement methods and tools that are often used.
In addition, we analyzed the tools and Windows commands and investigated the logs recorded on the host upon execution. As a result, it was revealed that the tools’ execution logs are not recorded with the Windows default settings.

This presentation will explain some attack patterns and typical tools used in lateral movement that are identified through our research. We will also demonstrate how to investigate or detect incidents where such tools and commands are used.

Speakers
avatar for Keisuke Muda

Keisuke Muda

Analyst, Internet Initiative Japan (IIJ)
Keisuke Muda is an analyst of the Security Operation Center at Internet Initiative Japan Inc. (IIJ), an Internet service provider company in Japan. As a member of IIJ SOC, he analyzes logs sent from various devices installed at IIJ SOC customers’ networks. He also researches and... Read More →
avatar for Shusei Tomonaga

Shusei Tomonaga

Malware Analyst / Forensic Investigator, JPCERT/CC
Shusei Tomonaga is a member of the Analysis Center of JPCERT/CC. Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. In addition, he has written up several posts on malware... Read More →


Friday December 8, 2017 12:30 - 13:00
Corum Allée du Saint-Esprit, 34000 Montpellier, France