Lateral Movement Techniques

What Is Lateral Movement

Lateral movement is defined by the MITRE ATT&CK framework as an attacker’s behavior once they have penetrated a victim’s network to search for assets with tools and techniques that will allow them to move without being recognized by security products.

The Attack Kill Chain

This is part of an extensive series of guides about Network Attacks

Taking a step back

To gain an in-depth understanding of lateral movement, it’s best to analyze the attack from the attacker’s perspective. This is necessary to deal with sophisticated adversaries that occasionally form as APT groups.

Success in these attacks requires comprehensive planning and quality intelligence. Adversaries must first scout out a target based on the space, time, and resources available to them. Before carrying out an attack, they will perform several “quiet” actions:

• Gain Information about the target – whether the organization is commercial, health-care, government, political, social, gender, etc.
• Examine the victim’s essential assets – sensitive assets that are a weak point and would be detrimental if they’re lost, such as personal information of customers, sensitive private medical information, national intelligence information, embarrassing information about public and political figures, etc.
• Check for vulnerabilities in a victim’s defenses that can be pentrated – Operating systems, services, CVE exploitation, supply chains. We can even observe APT groups using HUMINT and SIGINT techniques when the target is a nation-state or conglomerate business.
• The optimal time for attack execution – when the victim is least active, holidays, vacations, weekends, symbolic memorial days
• Following the collection and analysis of findings, attackers can choose the best attack technique for each phase in the attack life-cycle.
• Data collection and evidence concealment – The attacker will move laterally around the network to extract the information they need. Once they’re done attackers will delete any evidence of their attack.

Lateral Movement Techniques - Mitre Classified

Throughout this article, we will examine several of the lateral movement techniques and illustrate how an attacker can move laterally within a network to obtain information and execute commands. The demonstration will be performed on the MITRE ATT&CK® sub-techniques T1021.002, T1550.002, and T1550.003

Essential basic concepts

Remote Services – services that aim to connect between two hosts remotely and conduct connections between them like Telnet and SSH. Adversaries with valid accounts can utilize them to perform malicious actions.

Server Message Block (SMB) – A network file-sharing protocol in Windows OS that allows users/applications to access network shares (files, folders, printers, device sharing) to apply actions to files (read, write). Adversaries with appropriate permissions can utilize SMB to move laterally throughout the network/domain and exfiltrate restricted data.

Windows Admin Shares– Network shares (Disk volumes, OS folders, Fax caches, IPC shares, Printers folders, Domain controller shares) in windows OS that are hidden and restricted in access to users who are not under administrative groups. These provide attackers with the ability to perform administrative actions in any system connected to the network. Adversaries granted administrative privileges can access network shares via authenticated SMB sessions and remotely execute commands and binaries via authenticated RPC sessions as it would execute locally.

SMB and RPC services status check:

To verify the SMB protocol is enabled for utilization, it can be tested by a basic command as follows:

Using the utility Netstat that displays protocol statistics and current TCP/IP network connections, we can simply review if RPC on port 135 is enabled:

Types Of Hidden Administrative Shares Windows Enables:

Windows OS has multiple default network shares built in which allow files and folders to be shared between different machines.

How do we recognize Hidden Shares? They are identified by a dollar sign ($) attached at the end of the shared name.

• Root partitions or volumes – Each of the disk’s volumes has a share of the same name as each drive letter with a dollar sign appended to the end. for example, drives C, E, and F has a hidden admin share represented by C$, E$, and F$.

• OS Folder – The folder where Windows OS files are stored (%systemroot%) will be shared as admin$

• Fax cache – The shared folder that stores the caches for fax and cover pages will be shared as Fax$

• Inter-process communication (IPC) shares – IPC stands for inter-process communication and is aimed at the occasional interaction between clients and servers, applications and services over network-connected PCs. Enabled via SMB protocol, will be shared as IPC$.

• Printers folder – refers to the printer drivers. Install files and management of the printers over the network will be shared as print$

An attacker who obtains a valid administrator account can access the hidden resources and read and write to these files or exfiltrate all the data stored within. More than that, once attackers obtain a valid admin account, they can use a simple command to elevate it to NT Authority/System account privileges. This allows them to delete, rename, copy, and overwrite system/registry key files under system privileges.

Disclaimer

In the examples below, you will watch several of attack scenario simulations that causes alerts to be triggered. The attacks were not stopped, even though an alert was generated. It’s important to acknowledge that Cynet’s prevention capabilities have been disabled for the purpose of this article. If the prevention mechanisms were enabled, none of the attacks would have been succeeded.

T1021.002: SMB/Windows Admin Shares

Inherently built into Windows operating systems, SMB protocol enabling and windows admin shares are very common in large organizations since they allow for users who are under local computer Administrators group quick access to every disk volume within the corporate network-connected system. From there, an adversary just needs to acquire appropriate permissions and the organization is “transparent” to them. They can leak information, write malicious programs within admin hidden shares to execute commands on remote systems, schedule tasks and establish persistence.

PsExec- The Weaponized Tool

PsExec – a lightweight telnet – is part of the PsTool suite that allows administrators to access and manage remote machines within the network, and fully interacts with a device without their users being aware. Unlike other remote control programs, PsExec doesn’t require the hassle of local installation, making it a powerful tool for lateral movement throughout the network. Once adversaries have managed to initiate access into an exploited machine and acquire appropriate privileges, a connection can be made against any remote machine on the network simply by launching a command prompt console and moving laterally, extracting information, running commands, installing software and executing processes.

Access accomplished- gain shell- from the machine(Compromised-Lab/IP 172.16.121.137) to the remote machine (Host1-Lab 172.16.121.136). As you can see, user Mauriceg (the attacker) is running on a different machine with his account:

PsExec Demo:

T1550.002: Use Alternate Authentication Material: Pass the Hash

A hacking technique known as “pass the hash” (PtH) enables an attacker to log in as a user without knowing the cleartext password, targeting LM and NTLM-enabled Windows EPS. The attack exploits a vulnerability in the authentication protocol that causes password hashes to remain identical between login sessions and to be changed only when the user changes the password. Bypassing the traditional authentication phases, this method moves directly to the authentication process using a hashed password instead of a cleartext password. Indeed, it obviates the need to use methods that target cleartext passwords (like Brute-Force) but simply exfiltrates the hash and uses it for authentication. This technique can be implemented against most servers or services that accept LM or NTLM authentication, no matter if they run under Windows, Unix, or any other operating system. However, such attacks are more popular against Windows operating systems that hash and store passwords in diverse locations such as Credential Manager, LSASS, SAM/SERVICE(under c:\Windows\System32\Config\).

How does it work? To accomplish the attack and to perform a lateral movement, an attacker must have authority to move across the network which they can obtain through admin privileges. So, the attacker must get access to a system where a domain administrator has an active session established and to steal his identity. One of the most powerful and commonly used tools used today is Mimikatz. This is an open-source hacking tool that allows dumping credentials from memory either in plain text or password hash.

Stage 1: Attacker sends phishing email to User1 that executes the malware. The attacker has rights to his account.

Stage 2: Attacker dumps the passwords stored in User1 memory, forges User2 NTLM hash and authenticates as User2.

Stage 3: Attacker dumps the passwords stored in user 2 memory, forges User3 NTLM hash and authenticates as User3.

Stage 4: Attacker dumps the passwords stored in User 3 memory, forges AD_ADM NTLM hash and authenticates as AD_ADM.

Pass the Hash Demo:

T1550.003: Use Alternate Authentication Material: Pass the Ticket

Pass the Ticket is a hacking technique to steal accounts credentials without obtaining the user’s cleartext password. It targets the active directory by manipulating the Kerberos authentication protocol. With this technique, the attacker steals the Kerberos tickets and utilizes them to move laterally throughout the network. Kerberos has two associated tickets depending on the user’s access privileges:

1)Ticket-granting ticket (TGT) – has the right to request a service ticket from the TGS.

2) Ticket Granting Service (TGS) – can get access to a particular service/resource that the user is allowed to log in to the domain.

During the PtT attack, adversaries aim to extract from LSSAS memory valid Kerberos tickets so that they can use them for authentication. They can obtain all of a specific user’s TGT and TGS tickets without admin privileges. However, once they do elevate to admin privileges they can dump from the LSSAS memory all Kerberos tickets cashed in the system

There are two exploitation methods used against Kerberos ticket types, commonly known as Golden Ticket and Silver Ticket

Golden Ticket attack – A technique that aims to forge the krbtgt account that is responsible for encrypting Kerberos tickets. A krbtgt account is generated by the third-party secret shared with Kerberos protocol named Key Distribution Center (KDC). Compromising the krbtgt password hash lets the attacker gain access to powerful capabilities, including access to the Active Directory itself, which lets them create, modify, disable users, accounts, services, resources, etc.

Silver Ticket attack– can be acquired to access services/resources or the system that hosts them using Kerberos to generate tickets for their authentication validation. An attack intended to counterfeit Ticket Granting Services (TGS) which are for a unique service. TGS tickets are protected with encryption, so the challenge for the attacker is to steal the password hash of the TGS for the particular service (SharePoint, MSSQL, etc)

Pass the Ticket Demo:

Cynet vs Lateral Movement

To realize the lateral movement tactic, adversaries will have to use tools that let them manipulate the host and system (it will be significantly more challenging to do without them). The below scenarios show an example of how Cynet blocks the powerful hacking tool Mimikatz (which is used to forge users’ credentials and move laterally through the network). Additionally, Cynet offers an accessible user interface (UI) that records all malicious detection for further analysis.

1. An attempt to run the Hacktool Mimikatz – Cynet blocked the execution

The Cynet UI displays the alert detected with all information regarding attempted Mimikatz execution: the process tree, the user who attempted to execute, the notice that Cynet blocked the activity, etc.

1. An attempt to dump all password information stored in the system. Cynet blocked Mimikatz access to the LSSAS process.

Cynet UI- displays all the details about the malicious activity

Lateral Movement in The wild

SolarWinds Supply Chain Attack

It is probably ranked as one of the most widespread and well-known cyber and intelligence espionage attacks in history, affecting hundreds of private and governmental organizations worldwide. The threat actors behind the SolarWinds supply chain attack used a Backdoor loader named Reinendrop, which moved, deployed and distributed cobalt strike beacons laterally across the network.

NotPetya Ransomware

Companies and governmental organizations in France, Ukraine, Russia and Germany were hit in June 2017 by a major ransomware attack named Petya that affected the entire corporate network, impacting both computers and servers to the point of causing domain control. The ransomware was propagated via PsExec.

Masrv

A new Trickbot module recently discovered. The component, called masrv, hosts a copy of the open-source Masscan utility that can be used to scan local networks for any systems with open ports that may be exploited later on. Once it finds open ports it transmits the results to Trickbot’s C2 server, deploys modules that specialize in exploiting and moves laterally throughout the corporate network to infect additional systems.