LATERAL MOVEMENT

LATERAL MOVEMENT

LATERAL MOVEMENT

WHAT

Lateral movement is the process of pivoting from host to host or from one user account to another in order to reposition, supplement, or spread the active foothold. These activities are conducted after initial access is obtained and are often used to move to network locations of specific interest to the adversary.

WHY

Many times adversaries will gain access to compromised networks without having proximity to the specific systems or data they are targeting. Additionally, the level of privilege they obtain may not be high enough to garner the access they need. For these reasons, it is often necessary for adversaries to laterally move through the network from host to host or account to account until they can reach the location within the target environment needed to conduct further attack steps.

HOW

After establishing a communication channel into the target network, APT39 has used SOCKS5 proxies, RDP, and SSH to distribute remote commands throughout multiple compromised hosts. Several of these protocols may also be used to compromise valid accounts via session hijacking. Several other well-known, built-in protocols have been used to attack additional hosts within the target network. For example, APT39 has used Server Message Block (SMB) to access network shares to potentially transfer and execute malicious binaries on neighboring hosts.

RVA Attack Analysis

Pass the Hash (PtH): PtH made up 29.8 percent of successful RVA attempts at lateral movement. This technique bypasses the step of supplying account passwords by submitting the password hashes to the authentication process. PtH may provide adversaries authenticated access to systems without discovering the compromised user account’s password.

Remote Desktop Protocol (RDP): The use of RDP (25 percent of successful attempts at lateral movement) allowed the assessment teams to expand their footprint within compromised networks by remotely accessing and controlling neighboring hosts from previously exploited systems.

Exploitation of Remote Services: Remote services exhibiting coding errors were exploited from within the compromised network (11.9 percent of successful attempts at lateral movement). In some cases, the privilege level of the exploited service is higher than that of the adversary. Exploiting remote services with heightened privileges may result in increased privilege levels on the newly compromised system.

Impact

Many organizations’ networks house systems or data deemed critical to achieving overall mission success. These systems are typically located in network segments with increased protections and access is typically restricted based on user roles and privilege level. However, by allowing an adversary to pivot from host to host within a compromised environment, it is possible for these critical systems to become susceptible to compromise. Limiting an adversary’s lateral movement constrains their activity to a confined space, potentially preventing their ability to meet their target objectives.

Mitigation/Remediation

Limit credential overlap across systems (e.g., Windows Local Administrator Password Solution).
Ensure sensitive data is not on share files by running monthly scans for password files or config files with similar data.
Do not allow a domain user to be in the local administrator group on multiple systems.
Apply appropriate Windows patches and configurations (e.g., Pass the Hash Mitigations: Apply User Access Control (UAC) restrictions to local accounts on network logons).
Use multifactor authentication (MFA) for remote management sessions.
Disable the RDP service if it is unnecessary.
Routinely review the list of users with remote management privileges and remove unnecessary accounts.
Limit use of remote services.
Use application isolation and sandboxing techniques to increase network segmentation, limiting unauthorized movement.
Use host-based firewall rules to limit host-to-host traffic to required protocol and services.