This post was originally published here by Sqrrl Team.
The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. In our previous post, we examined the practical ways to hunt for C2 activity. In this series of posts, we will take a look at how to hunt for lateral movement activity.
Lateral Movement is a critical step in the process of carrying out an attack on a network. It is a category broad enough that it has its own kill chain step. Although it is a broad tactic, these posts will survey a specific method that might be carried out by an adversary.
Before we go into detection techniques, let’s start by building a foundation of knowledge on Lateral movement. The definition of Lateral movement that I am using is a “term encompassing techniques and tools that enable an attacker to access and/or control systems within your environment.”
Something commonly overlooked about lateral movement is that this activity is not the end goal of an attacker, but is instead just a piece of the attack and is often a requirement or dependency of the attacker to achieve their ultimate goal.
The ability to remotely execute scripts or code can be a cornerstone of an attack, but adversaries also attempt to reduce their footprint in environments by abusing legitimate credentials combined with native network and OS functionality to remotely access systems.
Example of Lateral Movement Activity in Sqrrl
Breaking down the attack further, there are dozens of methods to achieve lateral movement in an environment. Because of this, the attacker has a wide variety of tricks at their disposal. A few of the most common techniques I have seen in the wild are:
Pass the hash (PTH):
A method of authenticating as a user without having access to the user’s cleartext password.
Remote Services:
Where an adversary may use valid credentials to log into a service specifically designed to accept remote connections, such as PsExec, RDP, telnet, SSH, or VNC.
Taint Shared Content:
Content stored on network drives may be tainted by adding applications, scripts, or exploits to otherwise legitimate files.
To demonstrate a typical scenario, we’ll look at an example where the attacker will attempt to move from the patient 0 compromised system to gather the company’s financial records. Next, the attacker discovers that they cannot directly access the files from the infected host. They then attempt to move laterally to another system they can see on the network. When this system also does not have access to the data the attacker wants, the attacker will attempt to move laterally again and again until finally finding a system with the access they want.
Example of Lateral Movement Activity
High-level TTP overview
We can take the previous scenario and dissect it into stages.
First, we had the initial infection, this occurred by any ordinary means, phishing email, exploit kit, whatever.
Next, we have the compromise stage. This phase differs from the infection stage because we are defining compromise as the attacker has direct access to the system where the infection is defined as automated malware infecting the system. To expand on that, infection is something like getting a trojan on your computer, but compromise does not occur until the malware opens up a connection on the system for an attacker to get direct CLI access to the system.
The third stage is reconnaissance which contains the attacker collecting data about the system they are on and what other systems the attacker can see from the compromised host.
The next stage is credential theft. This stage is vital for the attacker because, without credentials, their ability to move laterally will be extremely limited. Credential theft comes in many forms, and we will dig into that in a bit.
Lastly, comes the actual lateral movement stage where the attacker combines the information they have gathered with the credentials they have gathered and attempt to authenticate to other systems in the environment. These three stages of recon, credential theft, and lateral movement, will be repeated on every system the attacker successfully authenticates.
Tune in next week for the next blog in this series that will show the attack from the attacker side!
Photo:SDNsquare
