Lateral Movement Detection – Part I 

Dawn Treader
July 4, 2023

Lateral movement tools and techniques have constituted a significant portion of an attacker’s arsenal in the past several years. 2022 saw a significant rise in the use of lateral movement tools for successful infiltration. Most often, an attacker may not have direct access to the intended target that he wants to take over. This target could be a server controlling the domain, a system hosting critical credentials or resources, etc. Once an attacker gains an initial foothold on a machine in a target network, the attacker can use readily available tools on the infiltrated machine to further the attacker’s footsteps, or the attacker may upload more tools that help further the attacker’s purpose of infiltration. Among such tools are credential harvesting tools that extract NTLM hashes, which can be used to infiltrate other machines on the network that honor these NTLM hashes. The initial point of entry may be an easy target, like an unsuspecting user opening a phishing email, a drive-by-download, an unpatched system as exploited by the WannaCry ransomware, or as seen this year, a rise in attacks on exposed APIs provided for cloud integration, orchestration, and management.

Common Lateral Movement Techniques

Apart from commonly known techniques like share enumeration, user enumeration, psexec, and gold ticket attacks, the list of new techniques that are being used by threat actors is alarming. In this series of articles, we will introduce our readers to several of these techniques, starting with the simplest of cases, which is user enumeration and why it is important. In the upcoming series, we will dissect and understand limitations in NTLM and Kerberos, kerberoasting attacks, golden ticket attacks, remote control of services, and how Vehere’s Network Detection & Response solution—PacketWorker’s lateral movement detection module can help you.

User enumeration via the SAMR service

Windows contains a repository of user accounts and the NTLM hash of those accounts. This repository is called the SAM database, and it is managed by the SAM (Security Accounts Manager) service. This service is remotely accessible and has ports 445 or 139 exposed. An unwanted side effect of having this service exposed is that attackers can query it to enumerate user accounts. The service provides user account and credential management and, in combination with the LSASS process, ensures authentication, authorization, and accounting.

In the screenshot, one would observe an MSRPC call “EnumDomainUsers” in packet number 35. The response to that call is seen in packet number 38, where at the bottom you will see user account information being provided to the attacker.

It may seem innocent enough since only account names are passed on. There are no credentials of any kind in the response. But if anything, history has taught us that even the most trivial information that is leaked becomes the starting point for an attacker. As a subsequent step to the previous information gathering stage, an attacker, now armed with user information, may employ techniques to harvest valid emails, password spraying, brute force, etc.

In the face of enumeration attempts such as these, Vehere NDR is well equipped to detect attacker tactics such as these and a lot more from the MITRE framework.

Stay tuned, as in the upcoming articles, we will walk you through complex attack scenarios and demonstrate how a simple user account leak such as the one above could eventually lead to a complete takeover of your domain.

Vehere Network Detection & Response (NDR) Rules for Lateral Movement The previous section briefly discussed just one lateral movement technique, which is usually the starting point of an attack. Vehere NDR, in its most recent release, provides customers with the first set of rules that can detect the lateral movement activities described in the previous section and a lot more. This is a threat landscape that keeps evolving, and Vehere’s research wing, Dawn Treader, is actively investigating and developing content for upcoming releases. Some of the recent Lateral Movement techniques, like the use of RDP and WMI, are being researched for future detection.

Share post: