Lateral Movement

Mohan reddy
Redteam & Blueteam Series
9 min readMay 3, 2020

The number and complexity of cyber-attacks are ceaselessly increasing while the existing security measures is far lagging in detecting sophisticated attacks such as lateral movement.

Red Team: Attack vectors and Techniques

Lateral movement which is also known as east-west movement is a later stage of an APT attack in which the attacker tries to exploit credentials to perform pass the hash attack, escalate privileges, and finally reaching his final targets which are critical systems where key data and assets resides and establish and maintain access to the compromised network and increases his footprints by compromising other computers, servers and infrastructure components. Lateral movement attack are performed using legitimate computer features and tools.

Advance persistent threat (APT) is a set of stealthy and relentless hacking processes, in which a group of highly skilled cyber-criminal gains unauthorized access to a targeted network, steals sensitive information and remains undetected while having permanent access to the network. The aim of APT is not to cause damage to the network but to have constant access to the sensitive data.

Most common lateral movement methods: PSEXEC, Windows Management Instrumentation, and Pass the hash

Single factor authentication (username and password) makes attacker job easy because once he steals the administrator’s username and password then he uses legitimate tools: PSEXEC, WMI and techniques (Pass the Hash) to remotely access the system and install persistent backdoors. With valid administrator credentials the attacker uses dumping tools: PROCDUMP to dump the usernames and hashes and access other machines on the network. The majority of system administrators implement Credentials reuse.

# Credential reuse means using the same username and password for multiple accounts or machines.

listed are the methods used by attackers before moving laterally in the network:

Credential Harvesting: The attacker can steal or exploit credentials (passwords, hashes) using social engineering techniques, use defaults credentials, perform phishing attack or dumping LSASS of the victim machine using the techniques mentioned in earlier blogs .

Persistence: Maintain persistence of a compromised system to perform additional operations which can be done in a number of ways. Please refer the blog.

Internal Reconnaissance : perform internal reconnaissance to better understand the network architecture, the type of firewall installed, and other network information. This knowledge is important because it helps the attacker to avoid detection. Please refer these blogs reconnaissance on local systems & internal Network links.

Escalate privileges. Most of the time the attacker motive is to go much deeper into the network by escalating privileges based on the knowledge the attacker acquired during reconnaissance. Tools like PSEXEC, and WMI, allows the attacker to access, scheduling tasks and execute malicious code on other machines on the network using the knowledge and credentials he obtained in the previous three steps (Credential harvesting, remain persistence, internal reconnaissance).

Start a process remotely with credentials

wmic /node:target /user:username /password:p@ss process call create “calc.exe”

wmic /authority:”kerberos:Domain\user” /node:SQL01 process call create ‘reg.exe add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe” /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe”’

Some of the methods/tools attackers perform for lateral movement.

1) Lateral movement via SMB protocol — SMB protocol is used to share files and printers on a network. Numerous vulnerabilities exist in SMB protocol. Exploitations of SMB vulnerabilities have immense impact because of its high percentage usage in critical infrastructure such as banking and finance, electricity grids, law enforcement agencies, aviation and medical centers.

Also in the real world most of the communication protocols are interlinked. Vulnerability in one protocol can lead to exploitation of other protocols or machines. For example vulnerability in authentication protocols (like NLTM, Kerberos) can lead to exploitation of SMB protocol.

# Including file system support, SMB protocol also specializes in Inter process communication (IPC). IPC share is useful because it facilitates data exchange between computers over SMB protocol.

SMB protocol provides two level of security that is user level and share level. Share is a file or printer that can be accessed by client. In user level authentication the client provides username and password.

some of the well-known SMB protocol vulnerabilities that can be exploited by an attacker to perform lateral movement attack:

i) SMB-RELAY, which is a specific type of man in the middle attack perform to steals users SMB credentials.

In situations where the Windows shares are not properly configured, these poorly configured shares can be exposed to the rest of the internet. Attackers can exploit abominably protected shares by exploiting week or null passwords and thus gain access to the administrative shares.

wmicexec.py user:pa55w0rd@10.0.0.10

EXECUTING CODE VIA SMB / DCOM WITHOUT PSEXEC

Recently in March-2020, we have seen vulnerabilities in SMB-V3 after major outbreak of SMBV2 vulnerability which leads to WannaCry/Eternal Blue attack.

2) PsExec — Most of the network administration tools are developed to provide flexibility in managing interconnected devices, and services. But if misused for malicious activities it can be destructive. It is the same case with PsExec from sysinternals. PsExec can be used for malicious activities. For the PsExec to work, two requirements must be fulfilled, first requirement is both local and remote computers must enable file and print sharing and second requirement is remote computer must have defined Admin$ share.

psexec.exe \\IP address of remote machine −u username −p password -accepteula maclicious.exe

When PsExec is executed it defaults to the directory on the remote system %SY STEM%. Using the victim credentials the attacker authenticates to the victim machine and try to gain access to the Admin$ share (C:\Windows). Access to Admin$ share is important specially when deploying software. Credentials supplied to PsExec have the permission to access Admin$ share.

Once the attacker get access to the Admin$, he can push the executable (.exe) malicious code into the Admin$, IPC$ shares. Now the attacker makes a separate call to the Remote Procedure Call (RPC) on the victim machine, which is running over the SMB protocol. Through RPC the attacker can talk with the Service Control Manager (SCM). SCM is maintaining and managing all the services running in the background. SCM loads the executable (.exe) and treat it as a service. Once the SCM puts the malicious .exe file in the memory the service shutdowns.

finding shares

3) Local Authentication Tokens: Session abuse — Rundll32 scheduled task — Token manipulation — session abuse

4) Credential Reuse — Credential reuse exploitation happens when many machines are having same password or hashes. For example if the attacker obtains the NTLM hashes of one SMB target, he can reuse the same hashes against other SMB targets in the network.

Credential Domino Meta Module — Metasploit has module

Credential reuse is mostly used against the services like SMB, SNMP, SSH, TELNET, MSSQL, and MySQL. Credential reuse is serious issue because if a system that’s vulnerable to credential reuse exploitation allow the attacker to bypass all the security controls and patches.

5) Windows Management Instrumentation(WMI) — is a tool that is implemented as service to locally and remotely manages data, operations and configuring settings on windows operating systems. WMI has its own query language called WQL. It also supports other scripting languages like Windows Script Host, VBScript, and PowerShell. WMI can be interacted locally and remotely.

WMI Structure

Attack Scenarios :- i) Creating malicious event using WMI Eventing -

DCOM and WinRM are handy tools for system administrator, but these tools can also be used for malicious purposes especially when its traffic is not inspected or filtered for malicious scripts or code and also no anti-virus can detect it. As we obtained the valid credentials (password or hashes) through following previous mentioned techniques we can specify malicious events to happen for example every time the victim restarts the computer run the executable that is present in the specified directory. This attack is a persistent attack; every time the system restarts the malicious code gets executed on the victim machine.

In order to trigger off an event there are three requirements : a) Event Filter b) Event Consumer c) Binding Filter and Consumer

Event Consumers like ActiveScriptEventConsumer and CommandLineEventConsumer allows you to execute any payload against the victim machine..

6) Pass the Hash /Pass the ticket Check the local system & internal network reconnaissance blog.

Without even cracking the hashes, the attacker uses the hashes to impersonate the victim and login into the victim account or system. Any system using LM or NTLM authentication in combination with any communication protocol (SMB, FTP, RPC, HTTP etc.) is at risk from pass the hash attack. The passwords can be obtained from dumping LSASS memory or utilize VSSADMIN.EXE and pull out the creds from backup file taken and using tools like NTDS Extract.

7) RDP Attack — Dropping payload or accessing other systems using RDP compromised credentials. Recent RDP vulnerability could allow attackers remote sessions.

Recently released Socks over RDP plugin creates a proxy to terminal services which uses dynamic virtual channel that enables us to communicate over an open RDP connection withouot the need to open a new socket, connection or a part on a firewall.

8) Dropping malware/payloads using deployment/management/SCCM softwares like Citrix, Landesk, Solarwinds, Zendesk. Built-in tools like these helps to drop malware/payload if policies are not securely configured.

BLUE TEAM: Detective and Preventive Controls

Whenever an attacker want to exploit remote machines, he tries to remain anonymous, undetected, transfer and execute malicious code, create and start services, tries to bypass normal authentication procedures, guess wrong passwords and hashes until he gets the correct credentials. All of these behaviors enhance the possibility of malicious activities in the network. Even to understand intrinsic security dependencies, it is important to know the relationships between accounts and access privileges across all systems on a network. Let’s see how we can implement security measures for defending at various levels.

Endpoint Level:

1. Purchase Threat Detection & Prevention tools — Installing A.V tools mitigates the chance of machine getting compromised and if unfortunately happens, atleast it will detect so that we can perform necessary actions to remediate.

2. Implementing Secure Group Policies like a) Disallow Removable Media b)Restrict Software Installations c) Follow the principle of least privilege d) Control Access to CMD e) Disable Guest Account f) Password length g)Password age limit h) Disabling Anonymous SID Enumeration in A.D h) Moderating access to control panel, I just mentioned few but there are many policies an organization can implement.

3. Installing security patches (Microsoft release the security patches once in every month & core security patches of any 0-day exploits ASAP)

4. Configuring AppLocker and Whitelisting and blacklisting applications based on organization dependency.

5. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts. (If possible configure sysmon to SIEM, Monitor the above mentioned registry keys for any violation)

Network Level:

1. Installing NIDs/NIPs facilitates to detect and prevent the attacks over network.

1. Traffic containing random hostnames clearly signifies the possibility of unwanted activities in the network.

2. Empty session key in NTLM authentication is an indication of anomalous network behaviour.

3. Comparison between number of Write commands towards IPC$ in normal and malicious.

4. Before the correct password is hit, large number of wrong passwords are tried. Every time a wrong password is enter, NTLM authentication protocol generates access denied or logon failure message. comparison between number of normal and malicious error messages

5. The attacker copy malicious executables to the victim machine and installs these executables which run as services in order to have an ongoing access to the victim machine. The number of remote services installed and running in anomalous situations are much higher than normal behaviour of the network.

6. Implement Honeypots and Canary Tokens which helps to identify the attacks before major impact happens

7. . Implementing Network segregation — Segregate the systems to make them more difficult to move laterally and even stops to access data.

8. Implementing Tarpit network security mechanism which helps against computer worms and network abuses.

9. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts. (If possible configure sysmon to SIEM — many ID were mentioned for mostly Lateral movement attacks)

10. Configuring network firewall rules.

Random hostname and empty session key if present in any traffic immediately indicates malicious behaviour because they are only present in malicious traffic and identifies the exploitation of normal protocols behaviour. While the remaining three detection techniques imply malicious behaviour if their number are above a fixed threshold which has to be learned using supervised machine learning algorithms.

Two factor-authentication may help in reducing the risk of lateral movement by introducing a new security check. However, this requires changes to the infrastructure, such as introducing security tokens.

Process level:

1. Preparation is the effective key in identifying & responding. Training end users at regular intervals and providing awareness on cyberattacks can help the organization against cyberattacks.

2. Don’t use shared local accounts.

3. Use a separate domain user and server admin accounts.

4. Maintain Secure Configurations.

5. Implement incident respond procedures for handling security incidents, breaches, and cyber threats

6.Train staff on the latest security threat and security tools.

Bibliography

Google B2B Team

--

--