13 Lateral Movement Tactics Security Experts Should Recognize

One of the most curious elements of this year’s Verizon Data Breach Investigations Report (DBIR) was the inclusion of the new attack pattern “system intrusions.” Representatives from Verizon identified the category as a broad one that tends to include attacks with many steps, indicating significant lateral movement within the network. Research shows that many recent high-profile attacks involved lateral movement, including the Colonial Pipeline attack, the SolarWinds attack, and the Microsoft Exchange breach.

“Smash and grab” attacks used to be widespread: attackers would enter the network and steal/encrypt any data they could get their hands on. The rise of more sophisticated attackers, Ransomware 2.0, and other advanced threats has changed this. Attackers are now more willing (and able) to move around the network undetected, looking for the most valuable data to steal. They conduct reconnaissance, look for exposed or otherwise vulnerable credentials, and escalate their privileges, often targeting Active Directory (AD), which means complete domain dominance if they succeed.

Today’s Lateral Movement Tactics

Protecting against today’s most dangerous lateral movement tactics is increasingly critical, with AD as vulnerable as it is. Attackers use a wide range of strategies to move about undetected. The list below covers a selection of the most common and potentially damaging tactics. For defenders, knowing what to look for is the first step toward more effective network protection. Fortunately, frameworks like MITRE ATT&CK and MITRE Shield have provided valuable insight into many of these tactics.

1. WMI

MITRE defines Windows Management Instrumentation (WMI) as “a Windows administration feature that provides a uniform environment for local and remote access to Windows system components.” MITRE notes that “it relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS)] for remote access.” An attacker looking to interact with both local and remote systems can use WMI to perform functions that include information gathering and remote file execution.

2. Remote Service Creation

Attackers can execute a binary, command, or script via a method that interacts with Windows services (such as the Service Control Manager) to create a new service to execute code remotely and move laterally across the environment or maintain persistence using the windows sc.exe utility. Attackers first copy the file to the remote system, then create and start the service using Remote Procedural Calls (RPC), Windows Management Instrumentation (WMI), or PsExec.

3. Remote Desktop Protocol

Remote desktops are commonplace today, allowing users to log into an interactive session remotely. Unfortunately, attackers can use stolen credentials and account information to exploit the remote desktop protocol (RDP), connect to the system, and expand their access. Today’s attackers use stolen credentials at an alarming rate, often to exploit RDP and usually as a persistence mechanism.

Read the full article by Joseph Salazar, Technical Marketing Engineer Attivo Networks, on DZone.