A Forensic Analysis of APT Lateral Movement in Windows EnvironmentReturn to TOC presented at FIRST 2014

by Junghoon Oh,

Summary : In APT campaign, the "lateral Movement" is a behavior compromising other systems after initial compromise in internal network of target organization. Unfortunately, it is difficult to distinguish this behavior and normal one due to the use of normal protocol in Windows environment. Therefore, if investigator finds the trace of "lateral Movement", he can trace back to the initial compromised system and grasp attack technique used in initial compromise from DFIR point of view. The root cause of attack will be removed in consequence of the tracing. In this session, Junghoon Oh will introduce existing "lateral Movement" techniques and explain the digital forensic methodology for tracking the trace. In addition, the real case applied on the methodology will be introduced.