ATT&CK Series: Lateral Movement Techniques
June 25, 2019
Security teams are constantly inundated with security events, and it’s easy to waste time investigating mundane traffic anomalies. It can be sometimes difficult to discern these alerts from malicious threat actors trying to compromise a system. However, security events pertaining to lateral movement techniques should be a priority, as they are a clear indicator of a threat that has established a foothold in an environment and is attempting to extend their reach further.
In this post, we will look at ATT&CK’s Lateral Movement Phase techniques and tactics from an adversarial perspective. There are several different methods that adversaries can employ to move throughout a network. However, we will cover two techniques commonly used by adversaries to access and control remote systems on a network. It is important to be aware of is at this stage the methods being used by adversaries often utilize native operating system utilities and features, that have legitimate uses and are typically implemented by network administrators for remote administration.
Once an adversary compromises domain user credentials in an environment, they can use a variety of different techniques to identify systems in the network that these accounts have administrative privileges on. While there are many different ways to determine if a user has administrative privileges on a remote system, they all involve interacting with the system’s administrative network shares. These shares are often overlooked as they are only accessible to administrators through the C$, and ADMIN$ share and provide administrators the ability to manage these systems remotely. Adversaries will often scan looking to see if the credentials they have compromised have read and write access to these shares. The C$ share provides direct access to the remote systems C:\ drive while the ADMIN$ share provides access to the folder that the Window’s Operating is installed to; functionality that is enabled by default on all recent Windows systems over the last two decades.
What's the Risk?
Adversaries can abuse the access to these admin shares to perform remote administrative tasks to compromise the remote system. This is often done by using the built-in administrative functions such as PowerShell or WMI commands to execute malicious code to gain a remote command session or even exfiltrate data stored on the remote system. More information about the different techniques that can be executed, through admin shares please see the ATT&CK’s Execution Techniques.
How to Mitigate
There are several different preventative measures to mitigate an adversary’s ability to abuse Admin Shares in a network. The first preventative measure involves reviewing all local administrative accounts to ensure these local account’s passwords are unique (i.e are not reused across other systems). Management of this can be done through a Local Admin Password Solution (LAPS).
Second, ensure the proper login/authentication events are turned on and centrally collected. Windows event logging can collect success and failure login events for accounts that may be used to move laterally and can be collected using tools such as Windows Event Forwarding. By monitoring for remote login events and actions related to remote users who connect to administrative shares can help identify adversaries’ activities.
Lastly, IT security staff should monitor command-line activity in Windows systems for suspicious behavior, specifically focusing on the use of tools such as “runas.” If an administrator account is being used at an odd time of day to launch several copies of notepad.exe or another seemingly innocuous tool, this might be an indication of compromise.
Finally, audit accounts with administrative privileges and limit administrative access to only those users who require it. Keeping the number of administrative accounts low presents fewer targets of interest for adversaries.
Pass the Hash (PtH) is a very common technique performed by adversaries to move laterally in an environment. This technique uses an account’s password hashed representation (commonly referred to as “password hashes”) from one host to authenticate against another, without knowing the user’s cleartext password. This is done by passing the New Technology LAN Manager (NTLM) hash of a valid user’s account forcing the remote host to authenticate using the NTLM protocol instead of using then normal authentication protocol (i.e., username and password).
Password hashes can be often gained by intercepting network traffic with the goal of tricking network-based resources into divulging these hashes, (often referred to as Man-in-the-Middle attacks). Other techniques that adversaries commonly utilize involve extracting password hashes directly off of a compromised machine. This can often yield password hashes from local accounts, stored in the local system’s SAM (Security Account Manager) file, or of domain accounts, that reside in the Local Security Authority Subsystem Service LSSAS’s process memory. More information about the different techniques outlined in the ATT&CK’s Credential Access Techniques.
What's the Risk?
The risk associated with PtH attacks varies depending on if an adversary manages to get administrative privileges on a compromised system. If they manage to, an adversary can easily extract the contents of SAM file or LSSAS process from a computer to then leverage these password hashes to move laterally through a network by compromising credentials. With password hashes an adversary doesn’t need to crack or guess the cleartext representation, defeating any password complexity rules in place.
How to Mitigate
There are several ways to defend against PtH attacks. The most common is to ensure the proper Microsoft KB2871997 patch is applied across an environment. This patch forces Windows systems to clear off any credentials of logged off domain users after 30 seconds. This ensures that both the cleartext passwords and password hashes are removed from a system’s memory. Another mitigation step involves implementing the registry key “HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LMCompatibilityLevel.” By setting the “LMCompatabilityLevel” value to 5, windows systems only allow NTLMv2 authentication and refuse LM and NTLM authentication requests. NTLMv2 includes a time-based response, which makes PtH attacks impossible. This registry change can be deployed in an environment through group policies. Additionally, monitoring can be used to identify any suspicious login and credential events through the use of Windows event logging, described above. Finally, implementation of LAPS solution to ensure unique credentials are assigned to each machine can thwart an adversaries ability to perform a PtH attack.
It is essential to stay up to date with the techniques adversaries use for lateral movement. Hackers are continuously developing new techniques and tools to perform these types of attacks. As a result, logging these events in a centralized system and developing a robust alert based on these events can security teams focus in on potential threats in a more effective manner. Staying current is a sure way to be one step ahead of a would-be intruder. This series will continue to cover each of the ATT&CK tactics to provide knowledge on the dangers of each tactic and some of the most critical techniques.
Read more in our ATT&CK series. Here's a review of related posts on this critical topic:
- ATT&CK Intro - September 2018
- ATT&CK Initial Access - October 2018
- ATT&CK Privilege Escalation - November 2018
- ATT&CK Discovery - March 2019
- ATT&CK Persistence - April 2019
- ATT&CK Credential Access - April 2019
- ATT&CK Execution - May 2019
- ATT&CK Defense Evasion - May 2019
- ATT&CK Lateral Movement Techniques - June 2019
- ATT&CK Exfiltration - July 2019
- ATT&CK Series: Command and Control - August, 2019
- ATT&CK Series: Collection Tactics – September, 2019
- ATT&CK Series: Impact – September, 2019