Learn Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 8

  • Tutorial

Lateral Movement


Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Credential Access
Part 7. Discovery.
Part 8. Lateral Movement.
Part 9. Collection.
Part 10. Exfiltration.
Part 11. Command and Control. )

Tactics of lateral movement ( Eng. "Lateral Movement" - lateral, transverse, horizontal movement) includes methods for the enemy to gain access and control over remote systems connected to the attacked network, as well as, in some cases, launch malicious tools on remote systems connected to the attacked network. Lateral network movement allows an attacker to obtain information from remote systems without the use of additional tools, such as remote access utilities (RAT).

The author is not responsible for the possible consequences of applying the information set forth in the article, and also apologizes for possible inaccuracies made in some formulations and terms. The published information is a free retelling of the contents of MITER ATT & CK .

AppleScript


System: macOS
Rights: User
Description: The AppleScript language provides the ability to work with Apple Event - messages exchanged between applications as part of interprocess communication (IPC). Using Apple Event, you can interact with almost any application that is open locally or remotely, trigger events such as opening windows and pressing keys. Scripts are run with the command: Osascript -e [скрипт].
Attackers can use AppleScript to covertly open SSH connections to remote hosts, giving users fake dialogs. AppleScript can also be used in more common types of attacks, such as Reverse Shell organizations.

Protection Recommendations: Mandatory verification of running AppleScript scripts for the signature of a trusted developer.

Application Deployment Software


System: Windows, Linux, macOS
Description:Application deployment tools used by enterprise network administrators can be used by malicious users to install malicious applications. The permissions required to complete these steps depend on the system configuration: certain domain credentials may be required to access the software installation server, and local privileges may be sufficient, however, an administrator account may be required to enter the application installation system and start the deployment process system. Access to a centralized corporate application installation system allows an adversary to remotely execute code in all systems of the attacked network. Such access can be used to move through the network, collect information or cause a specific effect, for example, cleaning hard drives on all hosts.

Protection Recommendations:Only allow a limited number of authorized administrators to access application deployment systems. Provide reliable isolation and restrict access to critical network systems using firewalls, restrict account privileges, configure group security policies and multi-factor authentication. Make sure that the data of accounts that have access to the software deployment system is unique and not used throughout the network. Regularly install patches and updates to application installation systems to prevent them from gaining unauthorized remote access through exploitation of vulnerabilities. If the application installation system is configured to distribute only signed binary files, then make sure that trusted signature certificates are not placed in it, but stored in the system,

DCOM (Distributed Component Object Model)


System: Windows
Rights: Administrator, System
Description: DCOM is a protocol that extends the functionality of the Component Object Model (COM), allowing software components to interact not only within the local system, but also over the network using remote procedure call (RPC) technology , with application components of other systems. COM is a component of the Windows API. Through COM, a client object can call a server object method, usually DLLs or .exe files. Permissions to interact with a local or remote server COM object are defined using ACLs in the registry. By default, only administrators can remotely activate and run COM objects through DCOM.

Enemies can use DCOM to move sideways across the network. Through DCOM, an attacker working in the context of a user with the appropriate privileges can remotely execute arbitrary code through Office applications and other Windows objects that contain unsafe methods. DCOM can also execute macros in existing documents, as well as call Dynamic Data Exchange (DDE) directly through a COM object created in Microsoft Office, bypassing the need to create a malicious document. DCOM can also provide an adversary with functionality that can be used at other stages of the attack, such as privilege escalation or pinning access.

Protection Recommendations:Using the registry, configure individual security settings for COM applications: code> HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ AppID.
Consider disabling DCOM support using the dcomcnfg.exe utility or in the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=SZ:N
Turn on the Windows Firewall, which by default prevents DCOM instances from being created. Turn on secure viewing and notifications about the launch of COM objects in MS Office documents.

Exploitation of Remote Services


System: Windows, Linux, macOS
Rights: User
Description: To execute arbitrary code, attackers can use exploits that use errors in programs, services, operating system software, or even in the kernel of the operating system. The purpose of exploiting vulnerabilities of remote services after the initial compromise is to provide remote access to systems to move around the network.

Previously, the adversary needs to identify systems with vulnerabilities. This can be done by scanning network services or other discovery methods.such as searching for common vulnerable software and missing patches, which serves as an indicator of vulnerabilities, or searching for security tools that are used to detect and block remote exploitation of vulnerabilities. Servers are most likely to be a valuable target for use when navigating the network, but workstations are also at risk if they provide the adversary with any advantage or access to additional resources.

Vulnerabilities are known in shared services, such as SMB, RDP, as well as applications that can be used on internal networks, such as MySQL and web server services. Depending on the permissions of the vulnerable service, an adversary may additionally gain privilege escalation using a lateral move.

Security Tips : Segment networks and systems to reduce access to critical systems and services. Minimize the availability of services by granting rights only to those who need them. Check your internal network regularly for new and potentially vulnerable services. Minimize permissions and access for service accounts to limit coverage.

Regularly update the software, implement the process of managing the installation of application patches on internal hosts and servers. Develop cyber threat analysis procedures to determine the types and levels of threats during which exploits can be used against your organization, including exploits of zero-day vulnerabilities. Use sandboxes to make it difficult for the enemy to perform operations using unknown or uncorrected vulnerabilities. Other types of microsegmentation and application virtualization can also mitigate the effects of certain types of exploits. Security software such as the Windows Defender Exploit Guard (WDEG) and Enhanced Mitigation Experience Toolkit (EMET), which aim to find the behavior used during exploitation of vulnerabilities, can be used to protect against exploits.Verifying the integrity of the control flow is another way to identify and block the exploitation of software vulnerabilities. Many of the listed security features may not work for all programs and services; compatibility depends on the architecture and binary file of the target application.

Depending on the tools available, the detection by the defending party of exploitation of vulnerabilities may be difficult. Software exploits may not always succeed or lead to unstable operation or abnormal termination of the attacked process. Pay attention to indicators of compromise, for example, abnormal behavior of processes, the appearance of suspicious files on the disk, unusual network traffic, signs of triggering of detection tools, and process injections.

Logon Scripts


System: Windows, macOS
Description: An adversary can use the ability to create new or modify existing logon scripts - scripts that are executed whenever a particular user or group of users logs on to the system. If an attacker gained access to a logon script on a domain controller, then he can modify it to execute code on all systems in the domain in order to move sideways across the network. Depending on the permissions of the login scripts, local or administrative credentials may be required.
On a Mac, logon scripts ( Login / Logout Hook ), unlike the Login Item, which are run in the user's context, can be run as root.

Protection Recommendations:Restricting administrator privileges to create login scripts. Identification and blocking of potentially dangerous software that can be used to modify login scenarios. Windows AppLocker may block the launch of unknown programs.

Pass the hash


System: Windows
Description: Pass the Hash (PtH) is a method of authenticating a user without access to his password in clear text. The method is to bypass the standard authentication steps that require a password and go directly to that part of the authentication that uses the password hash. The hashes of real passwords are captured by the adversary using credential access techniques, then the hashes are used for PtH authentication, which can be used to perform actions on local or remote systems.

To run the Pass the Hash attack on Windows 7 and above with the KB2871997 update installed, you need valid domain user credentials or administrator hashes (RID 500).

Protection recommendations: Monitor system and domain logs to identify unusual activity of account logins. Prevent access to existing accounts. On systems of Windows 7 and above, install the KB2871997 hotfix to restrict access to accounts in the default local administrator groups.

In order to minimize the possibility of implementing Pass the Hash, disable the remote start of UAC when a user logs on via the network by editing the corresponding key in the registry or group policies:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolice

GPO:Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigation: Apply UAC restriction to local accounts on network logons

Limit the coincidence of accounts in different systems in order to prevent their compromise and reduce the ability of the enemy to move between systems. Make sure that the built-in and created credentials of local administrators have complex unique passwords. Do not allow a domain user to be a member of the local administrators group on multiple systems. In order to detect Pass the Hash attacks, an audit of all login and credential use events is used with discrepancy checking (for example, one account was used simultaneously on several systems). Unusual logins associated with suspicious activity (for example, creating and executing binary files) can also indicate malicious activity. Authentication events like NTLM LogonType 3 (network input) should also be suspicious,

Pass the ticket


System: Windows
Description: Pass the Ticket (PtT) is a Kerberos ticket authentication method without access to an account password. Kerberos authentication can be used as a first step to moving an adversary to a remote system.
During PtT, valid Kerberos tickets for existing accounts are captured by the adversary using credential dumping techniques. Depending on the level of access, user service tickets or ticket granting tickets (TGTs) can be obtained. A service ticket allows access to a specific resource, while a TGT can be used to request service tickets from a ticket service (TGS) to access any resource to which a user has access.

Silver Ticket (fake TGS) can be obtained for services that use Kerberos as an authentication mechanism, and is used to generate tickets for access to a specific resource and the system in which the resource is located (for example, SharePoint).

Golden Ticket (Kerberos ticket for unlimited access to resources in the context of any user, including non-existent users) can be obtained by using the NTLM hash of the key distribution service account - KRBTGT, which makes it possible to generate TGT for any account in AD.

Protection Recommendations:Monitor for unusual credentials in the system. Limit credential matching across systems, thereby preventing damage in the event of a compromise. Make sure that local administrator accounts have complex, unique passwords. Do not allow the user to be the local administrator of several systems. Limit domain administrator account permissions for domain controllers and restricted servers. Delegate other administrator functions to individual accounts.

To counteract the previously generated Gold Ticket, reset the password of the KRBTGT built-in account twice, which will invalidate all Golden Tickets created using the KRBTGT password hash and other Kerberos tickets received from Golden Ticket.

Using application whitelisting tools such as Applocker or Software Restriction Policies, try to identify and block unknown or malicious software that can be used to receive Kerberos tickets and further authentication.

In order to detect PtT attacks, we recommend auditing all Kerberos authentication events and using credentials with discrepancy analysis. Unusual remote authentication events that correlate with other suspicious activity (such as writing and running binaries) can serve as an indicator of malicious activity.
Event ID4769 is generated on a domain controller when using Golden Ticket after a double reset of the KRBTGT password. The status code 0x1F indicates an unsuccessful integrity check of the encrypted field and indicates an attempt to use an invalid Golden Ticket.

Remote Desktop Protocol


System: Windows
Rights: Remote Desktop Users, Users
Description: Remote Desktop is a typical feature of operating systems that allows a user to enter an interactive session with a graphical interface on a remote computer. Microsoft calls its implementation of the RDP protocol as Remote Desktop Servoce (RDS) . There are other implementations and third-party tools that provide graphical access to remote services like RDS. Adversaries can connect to the remote system via RDP / RDS to expand access if the corresponding service is turned on and allows access with known credentials to the attacker. Previously, the adversary is likely to use credential access techniques.to obtain credentials that can be used with RDP. Opponents can also use RDP in combination with the Windows Accessibility Abuse technique to secure themselves in the system.

An attacker could also attempt to hijack RDP sessions involving remote sessions of legitimate users. Normally, when you try to steal session, the user is notified and asked to confirm, however, with the permission level System with Terminal Services console session can be intercepted without providing credentials and user confirmation: C:\Windows\system32\tscon.exe [номер сеанса, который нужно украсть].
This can be done remotely or locally with active or aborted sessions. It can also lead to privilege escalation by hijacking a domain administrator or a more privileged user. All of the above can be done using the built-in Windows commands, or the corresponding functionality can be added to the tools for pentesting, for example RedSnarf .

Protection recommendations: Disable the RDP service if it is not needed, delete unnecessary accounts and groups from the Remote Desktop Users group , enable the RDP traffic blocking rule between security zones in the firewall. Check members of the Remote Desktop Users group regularly. Remove the administrators group from the list of groups that are allowed to log in via RDP. If remote access is required, then restrict the rights of the remote user. Use Remote desktop gateways and multi-factor authentication for remote login. Do not leave RDP accessible from the Internet. Modify the GPO by defining timeouts and the maximum time that a remote session can be active. Change the GPO to indicate the maximum time that the disconnected remote session remains active on the host server.

Due to the fact that the use of RDP can be quite a legitimate process, indicators of malicious activity can be access patterns and actions that occur after a remote login, for example, users logging on to systems they usually do not access or logging into several systems during relatively short amount of time. In order to prevent interception of RDP sessions, it is recommended that you monitor the use of tscon.exe and create services that use cmd.exe /keither cmd.exe /cin their arguments.

Remote File Copy


System: Windows, Linux, macOS
Rights: User
Description:Files can be copied from one system to another to deploy enemy tools or other files during an operation. Files can be copied from an external system controlled by an attacker, through the C&C channel or using other tools using alternative protocols, such as FTP. Files can also be copied to Mac and Linux using built-in tools such as scp, rsync, sftp. Enemies can also copy files laterally between internal victim systems to support network movement and remote command execution. This can be done using file sharing protocols by connecting network resources via SMB or using authenticated connections to Windows Admin Shares or RDP.

Protection Recommendations:The use of IDS / IPS systems that use signatures to identify malicious traffic or unusual data transfers through well-known tools and protocols like FTP, which can be used to reduce activity at the network level. Signatures are typically used to detect unique protocol indicators and are based on a specific obfuscation technique used by a specific attacker or tool, and will most likely be different for different families and versions of malware. Attackers are likely to modify the signature of the C2 tools or create protocols in such a way as to avoid detection by well-known security tools.

As a means of detection, monitoring the creation and transfer of files over the network via SMB is recommended. Unusual processes with external network connections that create files within the system may be suspicious. The atypical use of utilities like FTP can also be suspicious. It is also recommended to analyze network data for unusual data streams, for example, the client sends significantly more data than it receives from the server. Network processes that typically do not have network connectivity are also suspicious. Examine the contents of the packet to find connections that do not match the protocol and port used.

Remote Services


System: Windows, Linux, macOS
Description: Attackers can use valid accounts to log into a service designed to accept network connections, such as telnet, SSH, or VNC. After this, the adversary will be able to perform actions on behalf of the user who is logged in.

Security Considerations : Limit the number of accounts that remote services can use. Use multi-factor authentication whenever possible. Limit permissions for accounts that are at higher risk of compromise, for example, configure SSH so that users can run only certain programs. Prevent Credential Access Techniquesthat may allow an attacker to acquire valid credentials. Relate the logon usage activity associated with the remote services to unusual behavior or other malicious or suspicious activity. Before attempting to advance the network, an attacker will most likely need to learn about the environment and the relationships between systems using detection techniques .

Replication Through Removable Media


System: Windows
Description: Technique involves the execution of a malicious program using the autorun function in Windows. To deceive the user, a “legitimate” file can be pre-modified or replaced, and then copied to a removable device by an attacker. Also, the payload can be implemented in the firmware of the removable device or through the initial media formatting program.

Protection Recommendations: Disabling autorun features in Windows. Limiting the use of removable devices at the organization’s security policy level. Application of antivirus software.

SSH Capture (SSH Hijacking)


System: macOS, Linux
Description:Secure Shell (SSH) is a standard remote access tool on Linux and macOS that allows a user to connect to another system through an encrypted tunnel, usually with password, certificate, or asymmetric encryption key pairs. To advance through the network from a compromised host, opponents can take advantage of trust relationships established with other systems through public key authentication in active SSH sessions by intercepting an existing connection with another system. This may be due to a compromise of the SSH agent itself or access to the agent socket. If the adversary can get root access in the system, then further capture of SSH sessions will be a trivial task. Compromising an SSH agent also intercepts SSH credentials.

Protection Recommendations:Make sure that SSH key pairs have strong passwords and refrain from using key storage technologies such as ssh-agent if they are not properly protected. Make sure that all private keys are stored securely in places that only the rightful owner can access with a complex, often changing password. Verify that the file permissions are correct and strengthen the system to prevent root privileges from being elevated. Do not allow remote access via SSH with root privileges or other privileged accounts. Ensure that Agent forwarding is disabled on systems where it is not explicitly required. Considering that using SSH in itself can be legitimate, depending on the network environment and how it is used, indicators of suspicious or malicious use of SSH can be various patterns of gaining access and subsequent behavior. For example, accounts that log on to systems that they usually don’t access or connect to multiple systems for a short period of time. It is also recommended that you track the socket files of user SSH agents that are used by different users.

Public Webroot (Shared Webroot)


System: Windows
Description:An adversary can place malicious content on a website that has a public webroot directory or another public directory for serving web content in the internal segment of the network, and then navigate to that content using a web browser to force the server to execute it. Usually, malicious content is launched in the context of the web server process, often, depending on how the web server is configured, this results in local system or administrative privileges. Such a mechanism for sharing and remote code execution can be used to move to a system running a web server. For example, a web server running PHP with a public webroot might allow an attacker to download RAT tools to the web server OS when they visit a specific page.

Protection Recommendations:Networks in which users are allowed to conduct open development, content testing and launch their own web servers are especially vulnerable if the systems and web servers are not properly protected: the use of privileged accounts is unlimited, access to network resources is possible without authentication, and also not network isolation of the network / system. Ensure that the permissions for directories accessible through the web server are correct. Deny remote access to the site’s root directory (webroot) or other directories used to provide web content. Disable execution in webroot directories. Make sure that the permissions of the web server process are only those that are required. Do not use built-in accounts; instead, create specific accounts to limit unnecessary access or to cross permissions on multiple systems.

Use process monitoring to determine when files were written to a web server by a process that is not normal for a web server or when files were written outside of administrative time periods. Use process monitoring to determine normal processes and subsequently detect abnormal processes that usually do not run on the web server.

Taint Shared Content


System: Windows
Rights: User
Description: The contents of public network drives and other storages can be corrupted by adding malicious programs, scripts or exploit code to hosted files. As soon as the user opens the corrupted content, the malicious part can be executed to launch the malicious code on the remote system. Opponents can use the above method for lateral advancement.

There is another kind of technique that uses several other methods of spreading malware when users gain access to a shared network directory. Its essence is to modify shortcuts ( Shortcut Modification) directories (.lnk) using masquerading so that the labels look like real directories that were previously hidden. Malicious .lnk have a built-in command that executes a hidden malicious file and then opens the real directory expected by the user. Implementation of this technique in frequently used network directories can lead to frequent repeated infections and, as a result, an attacker gaining wide access to systems and, possibly, to new, more privileged accounts.

Protection Recommendations:Protect shared folders by minimizing the number of users with write permissions. Use utilities that can detect or prevent exploits at the first sign, such as the Microsoft Mitigation Experience Toolkit (EMET). Reduce the potential risk of sideways promotion by using web-based document management and collaboration services that do not use file and directory sharing.

Identify and block potentially dangerous and malicious software that can be used to corrupt content using tools such as AppLocker or Software Restriction Policies .
Frequent scanning of shared network directories for malicious files, hidden .LNK files, and other file types that are not typical of a specific directory is recommended. Suspicion should be caused by processes that write or overwrite many files into a common network directory, as well as processes that are performed from removable media.

Third-party Software (Third Party Software)


System: Windows, Linux, macOS
Rights: User, administrator, System
Description: Third-party software and software deployment systems (SCCM, VNC, HBSS, Altris, etc.) used on the network for administrative purposes can be used by an attacker to remotely run code on all hosts connected to such systems. The rights required to implement this technique depend on the particular system configuration. Local credentials may be sufficient to access the software deployment server; however, an administrator account may be required to start the software deployment.

Protection Recommendations:Check the security level of your software deployment systems. Ensure that access to software management systems is limited, controlled, and protected. Strictly use mandatory pre-approval policies for remote software deployment. Provide access to software deployment systems to a limited number of administrators, ensure isolation of the software deployment system. Make sure that the credentials for accessing the software deployment system are unique and not used in other services on the corporate network. If the software deployment system is configured to run only signed binary files, then verify that trusted certificates are not stored in the software deployment system itself, but are located on a system that cannot be accessed remotely.

Windows Admin Shares


System: Windows
Rights: User
Description: Windows systems have hidden network folders that are accessible only to administrators and provide the ability to remotely copy files and other administrative functions. Examples of Windows Admin Shares: C $, ADMIN $, IPC $.
Opponents can use this technique in combination with existing administrator level accounts for remote access to the system via server messege block (SMB), interacting with systems using RPC, transfer files and run migrated binary files using Execution techniques. Examples of execution methods based on authenticated sessions through SMB / RPC are scheduled tasks, starting services, and WMI. Opponents can also use NTLM hashes to gain access to Admin Shares through Pass-the-Hash. The net use command, with valid credentials, can be used to connect the remote system to Windows Admin Shares.

Protection recommendations: Do not use the same passwords for local administrator accounts on different systems. Ensure that passwords are complex and unique so that they cannot be guessed or cracked. Disable the remote login to the built-in local administrator account. Do not allow user accounts to be members of the local administrators group of multiple systems.

Identify and block potentially dangerous and malicious software that can be used to operate SMB and Admin Shares using AppLocker or Software Restriction Policies .

Provide centralized collection and storage of login credentials. Windows Event Forwarding allows you to collect data on successful / unsuccessful use of accounts that could be used to navigate the network. Track the actions of remote users who connect to Admin Shares. Track the use of tools and commands that are used to connect to network shares, such as the Net utility, or search for systems that are accessible remotely.

Windows Remote Management (WinRM)


System: Windows
Rights: User, Administrator
Description: WinRM is the name of a service and protocol that allows remote user interaction with the system (for example, starting a file, changing the registry, changing a service. To start, use the winrm command and other programs, such as PowerShell.

Security recommendations: Disable the WinRM service, if necessary, isolate the infrastructure with WinRM with separate accounts and permissions Follow WinRM's recommendations for setting authentication methods and using ho firewalls hundred to restrict access to WinRM and allow access only from certain devices.

Also popular now: