13 Lateral Movement Tactics Security Experts Should Recognize
Reading Time: 2 minutes | Published: August 14, 2021 in Attivo News
One of the most curious elements of this year’s Verizon Data Breach Investigations Report (DBIR) was the inclusion of the new attack pattern “system intrusions.” Representatives from Verizon identified the category as a broad one that tends to include attacks with many steps, indicating significant lateral movement within the network. Research shows that many recent high-profile attacks involved lateral movement, including the Colonial Pipeline attack, the SolarWinds attack, and the Microsoft Exchange breach.
“Smash and grab” attacks used to be widespread: attackers would enter the network and steal/encrypt any data they could get their hands on. The rise of more sophisticated attackers, Ransomware 2.0, and other advanced threats has changed this. Attackers are now more willing (and able) to move around the network undetected, looking for the most valuable data to steal. They conduct reconnaissance, look for exposed or otherwise vulnerable credentials, and escalate their privileges, often targeting Active Directory (AD), which means complete domain dominance if they succeed.
Today’s Lateral Movement Tactics
Protecting against today’s most dangerous lateral movement tactics is increasingly critical, with AD as vulnerable as it is. Attackers use a wide range of strategies to move about undetected. The list below covers a selection of the most common and potentially damaging tactics. For defenders, knowing what to look for is the first step toward more effective network protection. Fortunately, frameworks like MITRE ATT&CK and MITRE Shield have provided valuable insight into many of these tactics.
1. WMI
MITRE defines Windows Management Instrumentation (WMI) as “a Windows administration feature that provides a uniform environment for local and remote access to Windows system components.” MITRE notes that “it relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS)] for remote access.” An attacker looking to interact with both local and remote systems can use WMI to perform functions that include information gathering and remote file execution.
2. Remote Service Creation
Attackers can execute a binary, command, or script via a method that interacts with Windows services (such as the Service Control Manager) to create a new service to execute code remotely and move laterally across the environment or maintain persistence using the windows sc.exe utility. Attackers first copy the file to the remote system, then create and start the service using Remote Procedural Calls (RPC), Windows Management Instrumentation (WMI), or PsExec.
3. Remote Desktop Protocol
Remote desktops are commonplace today, allowing users to log into an interactive session remotely. Unfortunately, attackers can use stolen credentials and account information to exploit the remote desktop protocol (RDP), connect to the system, and expand their access. Today’s attackers use stolen credentials at an alarming rate, often to exploit RDP and usually as a persistence mechanism.
Read the full article by Joseph Salazar, Technical Marketing Engineer Attivo Networks, on DZone.
Share on:
Continue Reading
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
Newsletter Signup
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise