Lateral Movement and Pivoting
PRACTICE ! PRACTICE ! PRACTICE !
Last updated
PRACTICE ! PRACTICE ! PRACTICE !
Last updated
Lateral Movement is the group of techniques used by attackers to move around a network
Once an attacker has gained access to the first machine of a network, moving is essential
If we take a closer look at the cyber-kill chain diagram, we can notice that the Lateral Movement phase is an additional step on a linear process
We use any available credentials to perform lateral movement, giving us access to new machines where we elevate privileges and extract credentials if possible
We are performing a Red Team Engagement where our final goal is to reach an internal code repository
where we got our first compromise on the target network by using a phishing campaign, Usually phishing campaigns are more effective against non-technical users, so our first access might be through a machine in the Marketing department
Marketing workstations will typically be limited through firewall policies to access any critical services on the network, including administrative protocols, database ports, monitoring services or any other that aren't required for their day to day labour, including code repositories
To reach sensitive hosts and services, we need to move to other hosts and pivot from there to our final goal - we could try elevating privileges on the Marketing workstation and extracting local users' password hashes - If we find a local administrator, the same account may be present on other hosts
After doing some recon, we find a workstation with the name DEV-001-PC. We use the local administrator's password hash to access DEV-001-PC and confirm it is owned by one of the developers in the company. From there, access to our target code repository is available
Notice that while lateral movement might need to be used to circumvent firewall restrictions, it is also helpful in evading detection. In our example, even if the Marketing workstation had direct access to the code repository, it is probably desirable to connect through the developer's PC. This behaviour would be less suspicious from the standpoint of a blue team analyst checking login audit logs
There are several ways in which an attacker can move laterally, the simplest way is to use standard administrative protocols like WinRM, RDP, VNC or SSH to connect to other machines around the network
While a user from IT connecting to the web server via RDP might be usual and go under the radar, care must be taken not to attempt any suspicious connections
Why is the local admin user connecting to the DEV-001-PC from the Marketing-PC ?
Attackers nowadays also have other methods of moving laterally while making it somewhat more challenging for the blue team to detect
