Handout C: Windows Event Log - Lateral Movement

Security event log (Event ID 4624 and 4625) showing the attacker’s lateral movement from the initial compromised workstation to file servers and domain controllers using stolen credentials.

Windows Security Event Log (Event Viewer - Security Log)

Windows Server 2003 / 2008 - Security Event Log
Network: Advanced Materials Technology Corporation
Log Period: September 14-15, 2011 (First 48 hours of compromise)

[EVENT ID 4624] - Successful logon
Time: 2011-09-14 10:56:15
Logon Type: 3 (Network - interactive login attempt from another computer)
User: AMTC\jmiller (James Miller - Research Engineer)
Computer: RESEARCH-WKS-12
Workstation: RESEARCH-WKS-12
Source Network Address: 127.0.0.1
Source Port: 12345
Status: SUCCESS [Normal logon from user's own workstation]

[EVENT ID 4624] - Successful logon
Time: 2011-09-14 11:02:47
Logon Type: 3 (Network - SUSPICIOUS)
User: AMTC\jmiller
Computer: FILE-SERVER-01 (Engineering research file server)
Workstation: RESEARCH-WKS-12
Source Network Address: 192.168.1.105 (RESEARCH-WKS-12)
Source Port: 13457
Status: SUCCESS [User authenticated over network using saved credentials]
Access Level: Standard user privileges (but user has access to sensitive research files)

[ATTACKER ACTIVITY] Lateral Movement Begins
The attacker on RESEARCH-WKS-12 uses harvested credentials from the compromised
workstation's cache to authenticate to the file server over the network.
No VPN required; both systems are on internal network.

───────────────────────────────────────────────────────────────────────────────

[EVENT ID 4624] - Successful logon
Time: 2011-09-14 11:15:33
Logon Type: 3 (Network - SUSPICIOUS)
User: AMTC\jmiller
Computer: FILE-SERVER-02 (Materials research and specification files)
Workstation: RESEARCH-WKS-12
Source Network Address: 192.168.1.105 (RESEARCH-WKS-12)
Source Port: 13467
Status: SUCCESS [Attacker authenticating with jmiller credentials to second server]

[ATTACKER ACTIVITY] Expanding Access
Attacker now has access to two file servers containing:
  - Composite material specifications
  - Aerospace project files
  - Research data worth millions

───────────────────────────────────────────────────────────────────────────────

[EVENT ID 4624] - Successful logon
Time: 2011-09-14 11:47:22
Logon Type: 3 (Network - CRITICAL)
User: AMTC\dpark (David Park - Research Director - PRIVILEGE ESCALATION)
Computer: RESEARCH-WKS-12
Workstation: RESEARCH-WKS-12
Source Network Address: 192.168.1.105 (RESEARCH-WKS-12)
Source Port: 13489
Status: SUCCESS [Attacker harvested David Park's credentials]

[ATTACKER ACTIVITY] Privilege Escalation
This is significant: David Park is a Research Director with higher access levels.
The attacker harvested his password hash when he logged into RESEARCH-WKS-12
for a meeting. Now attacker can impersonate David Park across the network.

───────────────────────────────────────────────────────────────────────────────

[EVENT ID 4624] - Successful logon
Time: 2011-09-14 12:15:09
Logon Type: 3 (Network - CRITICAL)
User: AMTC\dpark
Computer: FILE-SERVER-03 (Director-level access - Executive/Strategic documents)
Workstation: RESEARCH-WKS-12
Source Network Address: 192.168.1.105 (RESEARCH-WKS-12)
Source Port: 13501
Status: SUCCESS [Attacker now accessing executive-level file server]

[ATTACKER ACTIVITY] Access to Strategic Data
Using stolen director credentials, attacker now accesses:
  - Executive briefings on contracts and clients
  - Strategic partnership information
  - Defense contractor relationships
  - Pricing and contract terms
  - Competitive intelligence on other contractors

───────────────────────────────────────────────────────────────────────────────

[EVENT ID 4624] - Successful logon
Time: 2011-09-14 13:22:44
Logon Type: 3 (Network - CRITICAL SECURITY BREACH)
User: AMTC\administrator
Computer: DC01 (Domain Controller - NETWORK COMPROMISE COMPLETE)
Workstation: RESEARCH-WKS-12
Source Network Address: 192.168.1.105 (RESEARCH-WKS-12)
Source Port: 13512
Status: SUCCESS [DOMAIN ADMIN ACCESS ACHIEVED]

[ATTACKER ACTIVITY] Domain Compromise
The attacker obtained the domain administrator password through:
  1. Pass-the-hash attack (using stolen admin hash)
  2. Credential dump from compromised workstation memory
  3. Or: Harvested when admin logged into compromised system

With domain admin access, the attacker can:
  - Access all 200+ computers on the network
  - Create new accounts
  - Modify group policies
  - Deploy ransomware or additional malware
  - Exfiltrate entire network of sensitive data

───────────────────────────────────────────────────────────────────────────────

[EVENT ID 4624] - Successful logon
Time: 2011-09-14 14:05:16
Logon Type: 3 (Network)
User: AMTC\administrator
Computer: FILE-SERVER-04 (Complete Engineering Database)
Workstation: DC01
Source Network Address: 192.168.1.10 (DC01)
Source Port: 13533
Status: SUCCESS [Attacker backed up entire engineering database to external media]

[EVENT ID 4624] - Successful logon
Time: 2011-09-14 14:45:33
Logon Type: 3 (Network)
User: AMTC\administrator
Computer: FILE-SERVER-05 (Finance/Contract/Client Database)
Workstation: DC01
Source Network Address: 192.168.1.10 (DC01)
Source Port: 13545
Status: SUCCESS [Attacker exfiltrated financial and contract data]

───────────────────────────────────────────────────────────────────────────────

[SUMMARY] Lateral Movement Timeline

T+0 min:   Single workstation compromised (RESEARCH-WKS-12)
T+6 min:   Attacker on FILE-SERVER-01 (research files)
T+20 min:  Attacker on FILE-SERVER-02 (more research files)
T+51 min:  Attacker harvested David Park credentials (privilege escalation)
T+79 min:  Attacker on FILE-SERVER-03 (executive documents)
T+145 min: Attacker on DC01 (domain controller - total network compromise)
T+195 min: Attacker exfiltrating engineering database
T+235 min: Attacker exfiltrating finance/contracts database

From initial workstation compromise to domain admin: 2 HOURS 25 MINUTES

IM NOTES (Do Not Show to Players): Critical security insights:

  1. Rapid Lateral Movement: The attacker went from one compromised workstation to domain admin in under 2.5 hours. This is documented behavior from the Nitro Attacks.

  2. Credential Harvesting: Poison Ivy keylogger and credential stealer harvested passwords as users logged in. These credentials were immediately used for lateral movement.

  3. Privilege Escalation: The attacker didn’t just use the initial user’s credentials. They escalated by harvesting other users’ credentials (David Park).

  4. Network Penetration: No firewall between network segments. Attacker could authenticate across the entire network using stolen credentials.

  5. Domain Admin Achievement: Once domain admin was compromised, game over. The attacker could access any system on the network.

  6. Time to Exfiltration: Defense contractors typically have weeks of response time. This attacker exfiltrated critical data in HOURS.

This pattern matches Symantec’s analysis of the Nitro Attacks: Initial compromise at 09:00, domain admin by 11:30, data exfiltration beginning at 14:00 the same day. Some defenders only discovered the compromise days later when external threat intelligence reported suspicious activity.

Network Visualization: Lateral Movement Path

ATTACK PROGRESSION:

Step 1: Initial Compromise
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ RESEARCH-WKS-12 (James) β”‚  ← Phishing email, Poison Ivy installed
β”‚ Privilege: User         β”‚
β”‚ Status: COMPROMISED     β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
             β”‚ [Harvested credentials: jmiller, dpark, admin]
             β”‚
             β”œβ”€β†’ FILE-SERVER-01 (jmiller credentials)
             β”‚   [Access: Research files - copied]
             β”‚
             β”œβ”€β†’ FILE-SERVER-02 (jmiller credentials)
             β”‚   [Access: Material specs - copied]
             β”‚
             β”œβ”€β†’ FILE-SERVER-03 (dpark credentials)
             β”‚   [Access: Executive documents - copied]
             β”‚
             └─→ DC01 (Domain Controller) (admin credentials)
                 [CRITICAL] Domain admin access achieved
                     β”‚
                     β”œβ”€β†’ FILE-SERVER-04 [Engineering Database - EXFILTRATED]
                     β”‚
                     └─→ FILE-SERVER-05 [Finance/Contracts - EXFILTRATED]

Result: Entire network compromised, all sensitive data exfiltrated
        within 4 hours of initial infection.

Key Discovery Questions

  • How did the attacker go from one compromised user to domain admin in 2 hours?
  1. Credential harvesting: Poison Ivy captured passwords/hashes as other users logged in
  2. Poor segmentation: No firewall or access controls between network segments
  3. Password reuse: Administrators likely used same password across systems
  4. No multi-factor authentication: Single password was sufficient for any system
  5. Privilege escalation: Once higher-privilege user credentials were obtained, game over
  • What event log indicators would detect this attack in progress?

Red flags that should trigger immediate response:

  1. Multiple failed logins: If attacker guesses wrong password
  2. Logons from unusual locations: Multiple failed attempts with dpark credentials
  3. Off-hours access: Domain admin accessing servers at 2 AM
  4. Rapid credential usage: Same user logging in from multiple systems simultaneously
  5. Unusual access patterns: User accessing data they normally don’t access
  6. Impossible travel: User in one location, then 10 seconds later different location

But: Most organizations don’t have good log analysis. Sysadmins are overwhelmed with false positives.

  • How would you have prevented domain admin compromise?
  1. Multi-factor authentication: Even with stolen password, attacker can’t access without second factor
  2. Privileged Access Workstations (PAWs): Admin credentials never typed on user workstations
  3. Just-In-Time admin access: Temporary credentials, not standing admin accounts
  4. Network segmentation: Separate network for sensitive systems
  5. Credential Guard: Prevents credential harvesting (modern Windows)
  6. Behavioral monitoring: Detect unusual admin activity
  7. EDR solution: Detect lateral movement tools and techniques

IM Facilitation Notes

This handout shows:

  • Rapid lateral movement once initial foothold established
  • Credential harvesting enabling privilege escalation
  • Importance of defense-in-depth
  • Network segmentation criticality
  • Why domain admin compromise is total network failure
  • Speed of modern APT operations (hours, not days)