Lateral movement tools and techniques have constituted a significant portion of an attacker’s arsenal in the past several years. 2022 saw a significant rise in the use of lateral movement tools for successful infiltration. Most often, an attacker may not ...
Read More
Lateral movement tools and techniques have constituted a significant portion of an attacker’s arsenal in the past several years. 2022 saw a significant rise in the use of lateral movement tools for successful infiltration. Most often, an attacker may not have direct access to the intended target that he wants to take over. This target could be a server controlling the domain, a system hosting critical credentials or resources, etc. Once an attacker gains an initial foothold on a machine in a target network, the attacker can use readily available tools on the infiltrated machine to further the attacker’s footsteps, or the attacker may upload more tools that help further the attacker’s purpose of infiltration. Among such tools are credential harvesting tools that extract NTLM hashes, which can be used to infiltrate other machines on the network that honor these NTLM hashes. The initial point of entry may be an easy target, like an unsuspecting user opening a phishing email, a drive-by-download, an unpatched system as exploited by the WannaCry ransomware, or as seen this year, a rise in attacks on exposed APIs provided for cloud integration, orchestration, and management.
Common Lateral Movement Techniques
Apart from commonly known techniques like share enumeration, user enumeration, psexec, and gold ticket attacks, the list of new techniques that are being used by threat actors is alarming. In this series of articles, we will introduce our readers to several of these techniques, starting with the simplest of cases, which is user enumeration and why it is important. In the upcoming series, we will dissect and understand limitations in NTLM and Kerberos, kerberoasting attacks, golden ticket attacks, remote control of services, and how Vehere’s Network Detection & Response solution—PacketWorker’s lateral movement detection module can help you.
User enumeration via the SAMR service
Windows contains a repository of user accounts and the NTLM hash of those accounts. This repository is called the SAM database, and it is managed by the SAM (Security Accounts Manager) service. This service is remotely accessible and has ports 445 or 139 exposed. An unwanted side effect of having this service exposed is that attackers can query it to enumerate user accounts. The service provides user account and credential management and, in combination with the LSASS process, ensures authentication, authorization, and accounting.
In the screenshot, one would observe an MSRPC call “EnumDomainUsers” in packet number 35. The response to that call is seen in packet number 38, where at the bottom you will see user account information being provided to the attacker.
It may seem innocent enough since only account names are passed on. There are no credentials of any kind in the response. But if anything, history has taught us that even the most trivial information that is leaked becomes the starting point for an attacker. As a subsequent step to the previous information gathering stage, an attacker, now armed with user information, may employ techniques to harvest valid emails, password spraying, brute force, etc.
In the face of enumeration attempts such as these, Vehere NDR is well equipped to detect attacker tactics such as these and a lot more from the MITRE framework.
Stay tuned, as in the upcoming articles, we will walk you through complex attack scenarios and demonstrate how a simple user account leak such as the one above could eventually lead to a complete takeover of your domain.
Vehere Network Detection & Response (NDR) Rules for Lateral Movement The previous section briefly discussed just one lateral movement technique, which is usually the starting point of an attack. Vehere NDR, in its most recent release, provides customers with the first set of rules that can detect the lateral movement activities described in the previous section and a lot more. This is a threat landscape that keeps evolving, and Vehere’s research wing, Moon Treader, is actively investigating and developing content for upcoming releases. Some of the recent Lateral Movement techniques, like the use of RDP and WMI, are being researched for future detection.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.