This article will detail some of the most popular lateral movement techniques used by adversaries. Ethical hackers should study these techniques so they can better test their own organization’s network against said attacks. For those wanting a solid look at common lateral movement techniques, this article is for you.

A little about lateral movements

To provide a quick definition here, lateral movements are used by cybercriminals to move throughout a network systematically to search for sensitive date or assets to perform data exfiltration.  Did you know that on average, it takes seven months before data breaches are discovered? And of these breaches, only 4% are actually investigated?  Or how about this: 80% of the time an attack is underway, it is performing lateral movements? This is because most of the time attackers are in systems blind and have to move slowly to minimize detection. Just imagine all of the potential data exfiltration, among other damage, that hackers can cause during this time. It is enough to make you lose sleep for those who are security-minded. 

PowerShell

PowerShell is the number one mechanism by which to implement lateral movement techniques. PowerShell uses object-oriented scripting that makes stealing credentials, system configuration modification and automation of movement from system to system as easy as it is legal to own. (Funny how some of the most easily accessible tools used attack techniques, including lateral movement.) This is a tool and not a technique, technically, but it is definitely worth a mention based on its overrepresentation. Ethical hackers would be smart to use it themselves.

Common lateral movement techniques

Lateral movement techniques are definitely not lacking in number or diversity, but they have the same basic strategy. It goes like this: gain access to a low-privileged asset with low protection, escalate privileges and seek out targets of interest on the network.  Below is a list, in no particular order, of some of the most commonly used techniques by black hat hackers which ethical hackers can use to test their organization’s systems and networks. It follows the old adage of “know your enemy.”

Token stealing

Used in most attacks today, token stealing is a top technique for sure. Using tools such as Windows Credential Editor and mimikatz, attackers find a service account in system memory, generate Kerberos tickets and then use them to gain elevated privileges like domain administrator. This can be performed without detection, often with the use of PowerShell.

Stolen credentials

Stolen credentials are even more common than token stealing. While organizations have responded to the attack environment by investing in anti-malware capabilities, attackers have changed their focus a bit and have shifted more to the fundamental actions within environments. Attackers know that once you steal legitimate credentials, not only is their job easier but it makes it much harder to detect. In fact, stealing credentials is part of nearly every attack strategy under the sun. Some of the most relied-upon methods of stealing credentials include reusing credentials that were leaked on another website, phishing and social engineering, and brute-force attacks. These methods of stealing credentials are what allows for smoother lateral movements within an organization’s network. 

Logon scripts

Windows uses logon scripts whenever users log into a computer system. These scripts can execute other programs, perform administrative functions and send information to login servers on the network. If attackers can access these scripts, they can insert their own pieces of code for continued persistence of a compromised system.  The lateral movement comes into play if these logon scripts are stored in a central server. When these logon scripts are kicked out to systems on the network, attackers can use this to move about. 

Other techniques for lateral movement

Lateral movement techniques are diverse, to say the least, and attackers are resourceful in that they make the most out of the state of systems (especially Windows) which most organizations use. These techniques may be different, but they use a lot of the same corridors to move within a network. These include:

Vulnerability exploitation Removable media Abusing application deployment software Abusing Windows features and services

Wait a minute, did I just say Windows features and services? I did. This is the scariest thing for an organization’s network, because Windows features and services are running 24/7 and are used daily. These features and services can include (non-exclusive list):

Remote desktop Server Message Block (SMB) Service Control Manager (SCM) Windows Management Instrumentation (WMI) Task scheduler Windows Remote Management (WinRM) Distributed Component Object Model (DCOM)

Mobile lateral movement

Mobile technology is not spared from the onslaught of lateral movement techniques. The two most common techniques are presented below.

Attacking a PC via USB connection

Attackers are adept at using Android technology in their attacks, and lateral movement is part of this game plan. Simply put, attackers can escalate privileges within a mobile device and then program the mobile device to impersonate other USB devices in order to attack a computer that it is physically connected to. This technique has not been discovered on iOS as of yet. 

Exploit enterprise resources

Attackers can also use the mobile device’s access to organization network resources through either a local connection or Virtual Private Network (VPN). The best example of this is DressCode, which is an Android malware family that creates a “general purpose tunnel” by which adversaries can use to move about within a network.

Conclusion

Lateral movement in network and system attacks is equivalent to physical movement in a burglary. The burglar needs to be able to freely move within a location to perform their burglary, and attackers need the same kind of mobility to check out what is in a network and avoid detection.  With the average attack lifespan being seven months before detection, lateral movement is essential to keeping these attacks from being detected, as well as for reconnaissance with a network. Ethical hackers should become adept at using these lateral movement techniques within their network to get a better idea of how real-world attackers would act if they get in. 

Sources

The Top 20 Lateral Movement Tactics, Smokescreen Hacking Happens: Stolen Credentials, Immunio Lateral Movement, MITRE Lateral Movement (Mobile), MITRE Logon Scripts, MITRE