Lateral Movement Tactics and Techniques
In this article I am going to talk about some of the Tactics and Tools that attackers can use when they have intruded into your network. The list below isn’t a full and definitive list of methods, but does highlight some of the more common methods that are seen when moving through a network.
Powershell
As traditional Anti-Virus technology has evolved and provided us features such as Sandboxing to detect signature malware, attackers have begun to use native tools available on a compromised machine, the so called ‘living of the land’. Powershell falls right in this category, given that it is built in to all modern Microsoft Windows Operating Systems. By using Powershell scripts can be executed to replicate malware functionality, whilst going undetected as Powershell is a legitimate tool that is included on Windows Machines. From what we have seen, attackers have used it to steal in-memory credentials, modify system configuration and even script and automate movement from one device to another.
One such script I have played around with is a key logger script, that captures key strokes from users. Very basic, but as we know keyloggers are malicious but most Anti-Virus products will not detect this as a threat. I have an example of the script here, I did find this script online and therefore take no credit in its writing! By using Powershell and a combination of remote execution commands, this script can be executed against multiple machines very quickly! There is also a Powershell module equivalent of Metasploit called PowerSploit and will allow attackers to execute various attacks against a Windows based system via the use of PowerShell which can sometimes go undetected, this is due to traditional anti-virus looking for malware files (Signatures) rather than what code is being executed in powershell.exe, which is generally a whitelisted process due to its use to IT Admins. To give you a better idea of what PowerSpolit can do by leveraging PowerShell I have put a link to the Github for PowerSpoit.
File Shares
Windows file shares are a huge repo of data that is generally available to most, making it one of the first targets that attackers will investigate. Generally, half of what an attacker is looking for will be located on a file share! The number of documents containing passwords and sensitive data is always an alarming sight. Also, there are the admin & system based file shares that can be accessed to pull more information about the system, this could be shares such as the $ADMIN, $NETLOGON and $SYSVOL which are located on domain controllers that contain anything from logon scripts to Policies. These admin shares are used in a variety of different attacks, especially the $ADMIN share as this is normally executed by psexec type attacks to give full access to the %systemroot% folder of machines. You also have the hard drive per-partition hidden shares such as C$ and D$ that can be accessed on both clients and servers which generally give full read-write access. Depending on permissions, some of these shares might not even be locked down, making a standard user account viable for moving throughout different machines and servers across a network.
Shares are almost a necessity for businesses to share files, however because of how open they can be, and the type of data shared, they can be quite a risk when an attacker has intruded within your network. Using file shares is a legit use and can be used to fool a variety of detection methods as it is easily camouflaged as normal behaviour of a user of system.
Scheduled Tasks
Scheduled tasks have many uses, and some of those uses can be malicious. Scheduled Tasks can be used to well schedule a task on either the local machine or the remote machine, which makes persistent attacks much easier. However, being able to trigger a task or a script is not just the key feature, in many circumstances Scheduled Tasks will run as the SYSTEM user, letting an attacker escalate privilege to have full control of a device on which the scheduled task runs. For example, a Scheduled Task could call a process or an application, an attacker could manipulate that application to run code to make a new local admin account (seeing as this command will be ran as SYSTEM, the command will execute). Further to this, as a local unprivileged user you can run scheduled tasks in command line or Powershell to see ALL tasks on the local device, even those you are not privileged to see or execute! You can try this out by opening our favourite command line tool Powershell and typing: schtasks.exe /query /fo LIST /v this will give us a full list of all scheduled tasks on a local machine, as well as showing the run as account.
PSexec
Most administrators will recognise PSexec from Sysinternals before Microsoft acquired them. PSexec allows administrators to easily control and execute remote commands against Windows based system via command line. Since it works from the command line, like Powershell, its easy to create and script different attacks that can be used against different systems and can quickly result in a whole network being turned in to zombies.
Because PSexec is a well-known, Microsoft based tool that is used legitimately by admins, it generally not blacklisted or detected by anti-virus (as least the traditional signature based Anti-Virus). One an attacker intrudes onto your system, they will most likely look for tools such as PSexec to leverage in their attack. Tools like PSexec are preferred by attackers as they are legitimate tools that can do some damage, this further emphasises the ‘Living of the Land’ approach that is being seen much more in breaches.
NTLM and Pass-the-Hash
Pass-the-hash attacks have become more and more common, this is due to how quickly this exploit can be used to elevate privilege. Due to how NTLM functions, attackers can exploit the process and use an encrypted password hash to authenticate to remote services without actually knowing what the plaint text password is. This presents a serious issue, as hashes generally need time and processing power to crack and reveal the plain text equivalent, however if hashes can be injected straight into a remote process and gain access it makes for a common tool among hackers. There are a variety of tools that can be used to achieve this attack, one such tool is Mimikatz, which makes it very easy to reveal plain text passwords and perform pass the hash attacks. What’s worse is, by using certain techniques Mimikatz can be downloaded and executed from in-memory, therefore it doesn’t touch the hard drive which will circumvent a variety of AV scanners.
Email Relays and Mailbox Mining
It’s astounding how much information can be found in one’s mailbox, this can range from sensitive company data all the way to plain text passwords. Emails nowadays are used for everything and as such presents itself as a good target for attackers to leverage as a lateral movement technique. The first technique is taking advantage of an open SMTP relay within an organisation to spoof mails internally and circumvent external mail filters. This can generally be accomplished with Powershell, with the command ‘send-mailmessage‘ with the smtp address generally being smtp.companydomain.com. By using this command, you can send emails from one person to another, which could include malicious links or attachments. The second method is by using the system/drive file shares such as C$ you will be able to browse user files across the network (Assuming permissions have not been setup correctly), by accessing different user machines you can copy/view/mine user .ost files which contain mail messages. This can allow you to see and understand communications internally, whilst also looking for passwords and sensitive information. You can then use this information coupled with the send-mailmessage commands to send a more advanced/bespoke phishing email to a particular user.
Application Delivery, Patch Management and Software Deployment
Almost all companies will be using or aiming to use centralised software distribution tools to manage the IT Estate, this could be software like Group Policy, System Center Configuration Manager, Ivanti or WorkspaceONE. These tools can execute code on remote machines and generally need escalated privileges to function, making them a prime target for hackers to distribute malware across a network. Software Distribution systems can be attacked in many different ways, however the simplest way is to find the file share that contains all of the installation files (.exe/.msi) and infect these, so when they are pushed down to the client machines they will infect the machines. However, if credentials have been harvested then attackers could gain access to the software distribution console and package their own files and push them down to ALL hosts on the network. Its worthwhile to protect the central consoles as much as possible as they can make infection and lateral movement very simple on a large scale.
Summary
Creating Malware and exploiting vulnerabilities is one thing, but once an attacker is in your network there are a variety of tools already at the attackers disposal that they can use to move around quickly and quietly. It’s important to understand the techniques and tools that are used in order to better identify suspicious activities. There are Next-Generation Anti-Virus products that can take a deeper look into processes and activities that are executed to determine suspicious behaviour and mitigate these types of risks, I made a recent article on this here. Knowing which tools attackers can use in your system will hopefully allow you to scale down and restrict some of these tools, without hindering productivity of course.
I hope you enjoyed this article, as I come across more lateral movement techniques I shall add to this list!
Good article mate!
Thanks Mate 🙂