What is Lateral Movement?
According to Mitre Att&ck,
"Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier."
Once hackers perform reconnaissance and gain initial access, they try to execute malicious scripts and attempt to evade the defenses in place. Later, they try to escalate the privileges and gain advanced controls on the victim machine. Upon gaining access as a domain admin or related escalated privileges, the attackers then deploy backdoors to establish their footholds and stay persistently in the victim machine. After establishing the foothold on the zero machines, now it’s time for the attackers to look out and discover other vulnerable computers in the network for exploitation. Once the attacker discovers the vulnerable computers inside the target network, then the attacker tries to move from one computer to another and this movement is considered the Lateral Movement.
Different Lateral Movement Techniques
According to Mitre Att&ck, there are 9 major techniques that attackers use for lateral movement.
|
ID |
Name |
Description |
|
|
Adversaries
may exploit remote services to gain unauthorized access to internal systems
once inside of a network. Exploitation of a software vulnerability occurs
when an adversary takes advantage of a programming error in a program,
service, or within the operating system software or kernel itself to execute
adversary-controlled code. A common goal for post-compromise
exploitation of remote services is for lateral movement to enable access to a
remote system. |
|||
|
Adversaries
may use internal spearphishing to gain access to additional information or
exploit other users within the same organization after they already have
access to accounts or systems within the environment. Internal spearphishing
is multi-staged attack where an email account is owned either by controlling
the user's device with previously installed malware or by compromising the
account credentials of the user. Adversaries attempt to take advantage of a
trusted internal account to increase the likelihood of tricking the target
into falling for the phish attempt. |
|||
|
Adversaries
may transfer tools or other files between systems in a compromised
environment. Files may be copied from one system to another to stage
adversary tools or other files over the course of an operation. Adversaries
may copy files laterally between internal victim systems to support lateral
movement using inherent file sharing protocols such as file sharing over SMB
to connected network shares or with authenticated connections with SMB/Windows
Admin Shares or Remote Desktop
Protocol. Files can also be copied over on Mac and Linux with
native tools like scp, rsync, and sftp. |
|||
|
Adversaries
may take control of preexisting sessions with remote services to move
laterally in an environment. Users may use valid credentials to log into a
service specifically designed to accept remote connections, such as telnet,
SSH, and RDP. When a user logs into a service, a session will be established
that will allow them to maintain a continuous interaction with that service. |
|||
|
Adversaries
may hijack a legitimate user's SSH session to move laterally within an
environment. Secure Shell (SSH) is a standard means of remote access on Linux
and macOS systems. It allows a user to connect to another system via an
encrypted tunnel, commonly authenticating through a password, certificate or
the use of an asymmetric encryption key pair. |
|||
|
Adversaries
may hijack a legitimate user’s remote desktop session to move laterally
within an environment. Remote desktop is a common feature in operating
systems. It allows a user to log into an interactive session with a system
desktop graphical user interface on a remote system. Microsoft refers to its
implementation of the Remote Desktop Protocol (RDP) as Remote Desktop
Services (RDS). |
|||
|
Adversaries
may use Valid Accounts to log into a
service specifically designed to accept remote connections, such as telnet,
SSH, and VNC. The adversary may then perform actions as the logged-on user. |
|||
|
Adversaries
may use Valid Accounts to log into a
computer using the Remote Desktop Protocol (RDP). The adversary may then
perform actions as the logged-on user. |
|||
|
Adversaries
may use Valid Accounts to interact with a
remote network share using Server Message Block (SMB). The adversary may then
perform actions as the logged-on user. |
|||
|
Adversaries
may use Valid Accounts to interact with
remote machines by taking advantage of Distributed Component Object Model
(DCOM). The adversary may then perform actions as the logged-on user. |
|||
|
Adversaries
may use Valid Accounts to log into remote
machines using Secure Shell (SSH). The adversary may then perform actions as
the logged-on user. |
|||
|
Adversaries
may use Valid Accounts to remotely control
machines using Virtual Network Computing (VNC). VNC is a platform-independent
desktop sharing system that uses the RFB ("remote framebuffer")
protocol to enable users to remotely control another computer’s display by
relaying the screen, mouse, and keyboard inputs over the network. |
|||
|
Adversaries
may use Valid Accounts to interact with
remote systems using Windows Remote Management (WinRM). The adversary may
then perform actions as the logged-on user. |
|||
|
Adversaries
may move onto systems, possibly those on disconnected or air-gapped networks,
by copying malware to removable media and taking advantage of Autorun
features when the media is inserted into a system and executes. In the case
of Lateral Movement, this may occur through modification of executable files
stored on removable media or by copying malware and renaming it to look like
a legitimate file to trick users into executing it on a separate system. In
the case of Initial Access, this may occur through manual manipulation of the
media, modification of systems used to initially format the media, or
modification to the media's firmware itself. |
|||
|
Adversaries
may gain access to and use third-party software suites installed within an
enterprise network, such as administration, monitoring, and deployment
systems, to move laterally through the network. Third-party applications and
software deployment systems may be in use in the network environment for
administration purposes (e.g., SCCM, HBSS, Altiris, etc.). |
|||
|
Adversaries
may deliver payloads to remote systems by adding content to shared storage
locations, such as network drives or internal code repositories. Content
stored on network drives or in other shared locations may be tainted by
adding malicious programs, scripts, or exploit code to otherwise valid files.
Once a user opens the shared tainted content, the malicious portion can be
executed to run the adversary's code on a remote system. Adversaries may use
tainted shared content to move laterally. |
|||
|
Adversaries
may use alternate authentication material, such as password hashes, Kerberos
tickets, and application access tokens, in order to move laterally within an
environment and bypass normal system access controls. |
|||
|
Adversaries
may use stolen application access tokens to bypass the typical authentication
process and access restricted accounts, information, or services on remote
systems. These tokens are typically stolen from users and used in lieu of
login credentials. |
|||
|
Adversaries
may "pass the hash" using stolen password hashes to move laterally
within an environment, bypassing normal system access controls. Pass the hash
(PtH) is a method of authenticating as a user without having access to the
user's cleartext password. This method bypasses standard authentication steps
that require a cleartext password, moving directly into the portion of the
authentication that uses the password hash. |
|||
|
Adversaries
may "pass the ticket" using stolen Kerberos tickets to move
laterally within an environment, bypassing normal system access controls.
Pass the ticket (PtT) is a method of authenticating to a system using
Kerberos tickets without having access to an account's password. Kerberos
authentication can be used as the first step to lateral movement to a remote
system. |
|||
|
Adversaries
can use stolen session cookies to authenticate to web applications and
services. This technique bypasses some multi-factor authentication protocols
since the session is already authenticated. |
|||
Table 1: Mitre Att&ck Lateral Movement Techniques
Preventing Lateral Movement
The following measures can help prevent lateral movement in your network:
- Regular updates of all software within the organization
- Implement a security-first approach within the organization
- Protect high privilege accounts
- Maintain Proper IT Hygiene
- Zero Trust Policy
- Segregate network
- Threat hunting
- Strong endpoint security controls
Use ThreatResponder to Detect Lateral Movements Inside Your Network
Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.
Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR) security solution in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.
Disclaimer
The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).
