The ability to quickly and reliably detect lateral movement in the network is one of the most important skills in information security today: the lateral movement attack phase represents the biggest difference between a targeted and strategic attacks and a simplistic hit-and-run attack.
What is lateral movement?
Lateral movement refers to the various techniques attackers use to progressively spread through a network as they search for key assets and data, and usually is the second step of an cyberattack.
Once the attacker gain access to a vulnerable server on a network, he applies this set of techniques in order to gather information from systems on the target network, gain access and control them.
Movement across a network from one system to another may be necessary to achieve an adversary’s goals, such us execution of tools, pivoting to additional systems, access to specific information or files or access to additional credentials.
Video by Raphael Mudge
The lateral movement can be performed using specific tools, but adversaries may also reduce their footprint on the network by using legitimate credentials alongside inherent network and operating system functionality to remotely connect to systems.
Lateral movement techniques
Windows Remote Management
Windows Remote Management (WinRM) is a set of services and a protocols that allows a user to interact with a remote system:
Windows Remote Management (WinRM) is the Microsoft implementation of WS-Management Protocol, a standard Simple Object Access Protocol (SOAP)-based, firewall-friendly protocol that allows hardware and operating systems, from different vendors, to interoperate.
It may be called with the winrm command or by any number of programs such as PowerShell.
Windows Admin Shares
Windows systems have hidden network shares that are accessible only to administrators (for example C$, ADMIN$, and IPC$) and provide the ability for remote file copy and other administrative functions.
An attacker may use administrator-level Valid Accounts to remotely access a networked system over SMB in order to interact with systems using RPC, transfer files, and run transferred binaries through remote Execution.
Distributed Component Object Model
Windows DCOM is transparent middleware that extends the functionality of Component Object Model (COM) on remote systems using remote procedure call.
COM is a component of the Windows API that enables interaction between software objects: through COM, a client object can call methods of server objects, which are typically DLL libraries or executables.
DCOM may be used for lateral movement: using users with high privileges, and attacker can remotely obtain shellcode execution through Office applications as well as other Windows objects that contain insecure methods, or execute macros in existing documents.
Further, also DDE execution can be directly invoked through a COM created instance of a Microsoft Office application, bypassing the need for a malicious document.
Exploitation of vulnerable services
Attackers may takes advantage of a programming error in a program, service, or within the operating system software or kernel itself, in order to remote execute code.
First an adversary may need to determine if the remote system is in a vulnerable state, which may be done through network service scanning or other discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation.
Third-party applications (such as SCCM, VNC, psexec) may be in use on specific systems in the network environment for administration purposes. If an adversary gains access to these systems, then they may be able to execute code.
The permissions required for this action vary by system configuration: usually specific domain credentials (or administrative accounts) may be required.
Infected shared content
Content stored on network shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files: once a user opens the shared tainted content, the malicious portion can be executed to run the adversary’s code on a remote system.
For example, an attacker could modifiy a shortcut file (.LNK), inserting an embedded command that executes an hidden script or a malware file in the directory, and then opens the real intended file so that the user’s expected action still occurs. When applied on frequently used network shares, the technique may result in frequent reinfections, allowing attacker to gain also a ‘distributed’ persistence.
This technique is applicable also on removable media.
Replication through removable redia
Malicious programs may move also onto systems disconnected or air-gapped systems, by copying a coy of itself to removable media and taking advantage of Autorun features when the media is inserted into a system and executes.
In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system.
Webshells and remote access tools on shared webroot
Adversaries may add malicious content, like a webshell, to an internally accessible website through an open network file share that contains the website’s webroot or Web content directory.
The malicious script will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured.
Secure Shell is often used for remote access on Linux and Mac systems.
It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
Attackers may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system, compromising the SSH agent or by having access to the agent’s socket.
Remote services access with valid network credentials
Remote desktop is a common feature in operating systems that allows a user to log into an interactive session with a system desktop graphical user interface on a remote system: an attacker may connect to a remote system over RDP to expand access if the service is enabled and allows access to accounts with known credentials.
With same credentials attacker may copy from one system to another to stage adversary tools or other files over the course of an operation.
Files may be copied from an external adversary-controlled system through the
Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.
Finally, an adversary may use valid accounts to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC, then performing actions as the logged user.
Remote authentication with Pass the Hash and Pass the Ticket techniques
Pass the hash is a method of authenticating as a user without having access to the user’s cleartext password.
This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash captured on a compromized system.
Pass the ticket uses Kerberos tickets without having access to an account’s password.
In this technique, valid Kerberos tickets for Valid Accounts are captured by a credential dumping.
I’ll write soon a post with a more extensive description of Pass The Ticklet technique and Kerberos tickets.
AppleScript and IPC (OSX)
OSX applications send AppleEvent messages to each other for interprocess communications (IPC).
These messages can be easily scripted with AppleScript for local or remote IPC and AppleEvent messages can be sent independently or as part of a script, allowing to locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
So, an attacker can use this technique in order to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes.
Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell developed with other languages.
References and additional readings
- Windows Remote Management | Microsoft Docs
- How to remove administrative shares in Windows Server 2008
- Distributed Component Object Model (DCOM) Remote Protocol Specification
- JPCERT/CC Blog: Asruex: Malware Infecting through Shortcut Files
- SSH Agent Hijacking – Clockwork
- IBM Knowledge Center – The Kerberos ticket
- Apple Events | Apple Developer Documentation