One of the most curious elements of this year’s cybersecurity Verizon Data Breach Investigations Report (DBIR) was the inclusion of the new attack pattern, “system intrusions.”
Representatives from Verizon identified the category as a broad one that tends to include attacks with many steps, indicating significant lateral movement within the network. Research shows that many recent high-profile attacks involved lateral movement, including the Colonial Pipeline attack, the SolarWinds attack, and the Microsoft Exchange breach.
“Smash and grab” attacks used to be widespread: attackers would enter the network and steal/encrypt any data they could get their hands on. The rise of more sophisticated attackers, Ransomware 2.0, and other advanced threats has changed this.
Attackers are now more willing (and able) to move around the network undetected, looking for the most valuable data to steal. They conduct reconnaissance, look for exposed or otherwise vulnerable credentials, and escalate their privileges, often targeting Active Directory (AD), which means complete domain dominance if they succeed.
Today’s Lateral Movement Tactics: Be Warned
Protecting against today’s most dangerous lateral movement tactics is increasingly critical, with AD as vulnerable as it is. Attackers use a wide range of strategies to move about undetected.
The list below covers a selection of the most common and potentially damaging tactics. For defenders, knowing what to look for is the first step toward more effective network protection. Fortunately, frameworks like MITRE ATT&CK and MITRE Shield have provided valuable insight into many of these tactics.
1) Windows Management Instrumentation
MITRE defines Windows Management Instrumentation (WMI) as “a Windows administration feature that provides a uniform environment for local and remote access to Windows system components.”
MITRE notes that “it relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS)] for remote access.” An attacker looking to interact with both local and remote systems can use WMI to perform functions that include information gathering and remote file execution.
2) Remote Service Creation
Attackers can execute a binary, command, or script via a method that interacts with Windows services (such as the Service Control Manager) to create a new service to execute code remotely and move laterally across the environment or maintain persistence using the windows sc.exe utility.
Attackers first copy the file to the remote system, then create and start the service using Remote Procedural Calls (RPC), Windows Management Instrumentation (WMI), or PsExec.
3) Remote Desktop Protocol
Remote desktops are commonplace today, allowing users to log into an interactive session remotely. Unfortunately, attackers can use stolen credentials and account information to exploit the remote desktop protocol (RDP), connect to the system, and expand their access.
Today’s attackers use stolen credentials at an alarming rate, often to exploit RDP and usually as a persistence mechanism.
4) PowerShell Remoting
PowerShell (PS) Remoting is essentially a native Windows remote command execution feature built on top of the Windows Remote Management (WinRM) protocol. PowerShell remoting allows attackers to access the console of another computer just like any other terminal service and execute commands or PS scripts.
5) Task Scheduler
Users who want to schedule a program or script to run at a specified date and time use the task scheduler functionality included with all major operating systems.
Unfortunately, attackers can also take advantage of this function to schedule malicious code execution. MITRE notes that “adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).”
PsExec is a tool included in the Sysinternals Suite. While initially intended as a convenience tool for system administrators to perform maintenance tasks by running commands on remote hosts, it has become the standard tool for network pivoting—using one compromised system as a foothold to compromise other devices further. Attackers can use PsExec to create and start Windows services and run their code on another system as part of lateral movement.
Microsoft defines Microsoft Component Object Model (COM) as “a platform-independent, distributed, object-oriented system for creating binary software components that can interact.” DCOM is “the foundation technology for Microsoft’s OLE (compound documents), ActiveX (Internet-enabled components), as well as others.”
Attackers can use RPC to access a DCOM interface bound to a COM object on the remote system that exposes code execution functions to move laterally.
8) Password Spray
In a traditional “brute force” attack, an attacker repeatedly attempts to guess the password for a given account. Password spraying is similar but involves “spraying” the same password across many accounts to circumvent common password protection countermeasures, an effective method for compromising single sign-on (SSO) and cloud applications.
9) RDP Hijack
Attackers can exploit a Windows RDP feature to take over previously disconnected sessions and appear as legitimate users to gain system access and control. To conduct an RDP hijack, an attacker can “resume” a previously disconnected RDP session, which grants them access to privileged systems without needing stolen credentials.
Defenders have a hard time detecting this activity because it appears as if the user is resuming an authorized session—but in reality, it serves as a jumping-off point for attackers to move laterally throughout the system.
MITRE states that “adversaries may ‘pass the hash’ using stolen password hashes to move laterally within an environment, bypassing normal system access controls.” The tactic allows an attacker to authenticate to a remote server or service using the NTLM or LanMan hash of a user’s password rather than the password itself.
Pass-the-hash attacks exploit a weakness in authentication protocols where a password hash remains static between sessions until a user changes the password.
In contrast to typical pass-the-hash protocols, overpass-the-hash attacks utilize a user’s NTLM hash to request Kerberos tickets. Upon obtaining a user’s NTLM hash (or plaintext password), attackers can request a ticket-granting-ticket (TGT) for that account to access any service or device for which the user has the necessary permissions.
Attackers use pass-the-ticket attacks to bypass normal system access controls by authenticating to a system using stolen Kerberos tickets without having access to an account’s password.
Attackers steal valid Kerberos tickets with Credential Dumping techniques to get a user’s service tickets or TGT, allowing them to conduct Silver Ticket or Golden Ticket attacks.
13) Folder Redirection and Roaming Profiles
Folder redirection and roaming profiles allow system administrators to configure shared user folders in a VDI environment so users can access their documents and work seamlessly. If attackers can write to these folders, they can upload malicious code to steal the authentication details sent with the connection attempt when users reconnect to their roaming profiles.
Putting this Knowledge to Use
Unfortunately, it is impossible to stop 100% of attacks. Determined attackers will eventually find a way around perimeter defenses and into the network, especially with well-funded and well-organized attackers growing increasingly common.
Instead of focusing primarily on prevention, today’s businesses should focus on detection. Identifying attackers and attack activity within the network is essential. Modern attackers will almost always attempt to move laterally throughout the system as they look for valuable assets and ways to escalate their attacks further.
Understanding the specific tactics attackers use is a critical part of lateral movement detection. Knowing the tactics and strategies outlined above gives defenders a significant leg up to identify attackers and stop them in their tracks. With better network visibility and detection capabilities, defenders can make the attacker’s job harder, ultimately motivating them to seek an easier target.
About the Author:
Joseph Salazar, Technical Marketing Engineer, Attivo Networks