9 Lateral Movement Techniques and Defending Your Network (2024)

Table of Contents
What Are Lateral Movement Techniques? Common Lateral Movement Techniques 1. Keyloggers 2. Pass-the-Hash (PtH) Attacks 3. Pass-the-Ticket (PtT) Attacks (Gold and Silver Tickets) 4. Kerberoasting 5. Remote Desktop Protocol (RDP) 6. Server Message Block (SMB) and Windows Management Instrumentation (WMI) 7. SSH Hijacking 8. Living off the Land (LotL) 9. Masquerading and Mimikatz Traditional Lateral Movement Protection and the Need for UEBA Why Legacy Detections with Rules Are Not Enough Why Privilege Escalation Matters Where Can You See the Activity? Achieving Visibility, Preventing and Mitigating Lateral Movement Microsegmentation Endpoint Protection Active Directory Security Password Rotation and Multi-Factor Authentication Security Orchestration, Automation, and Response (SOAR) Lateral Movement Visibility with Exabeam

What Are Lateral Movement Techniques?

Lateral movement techniques refer to the strategies and methods employed by cybercriminals to progress through a network after gaining initial access. This is usually done to target specific data or resources within the network. Cybercriminals often take advantage of vulnerabilities in the network’s security to achieve their goal. Understanding these techniques is critical for establishing effective cybersecurity measures.

About this Explainer:

This content is part of a series about what is TTPs.

Common Lateral Movement Techniques

Let’s review some common techniques that cybercriminals use to carry out lateral movement.

1. Keyloggers

A keylogger is a type of malware that records keystrokes on a computer. Cybercriminals use keyloggers to steal sensitive information like usernames, passwords, and credit card numbers. When an attacker compromises a user’s device and installs a keylogger, they gain access to all the credentials used by that employee in their day-to-day job. This enables lateral movement.

2. Pass-the-Hash (PtH) Attacks

In a PtH attack, the attacker steals the hashed version of a user’s password and uses it to authenticate as that user. Since the hash is used instead of the actual password, the attacker can bypass password-based authentication methods. One of the key vulnerabilities that lead to PtH attacks is unnecessary or outdated user accounts. These can be easy targets for PtH attacks.

3. Pass-the-Ticket (PtT) Attacks (Gold and Silver Tickets)

Pass-the-Ticket (PtT) attacks are similar to PtH attacks, but instead of stealing password hashes, the attacker steals Kerberos tickets. Kerberos is a network authentication protocol that uses tickets to authenticate users. In a PtT attack, the attacker steals a user’s ticket and uses it to authenticate as that user.

There are two types of PtT attacks: Gold Ticket and Silver Ticket attacks. In a Gold Ticket attack, the attacker steals the ticket granting ticket (TGT), which allows them to authenticate as any user on the network. In a Silver Ticket attack, the attacker steals a service ticket, which allows them to authenticate as a user to a specific service.

4. Kerberoasting

Kerberoasting exploits the Kerberos protocol’s Ticket Granting Service (TGS) by taking advantage of how service tickets are used and encrypted. In a Kerberoasting attack, the adversary first requests a TGS ticket for any user accessing a particular service. This ticket is strongly encrypted with the service’s password. However, some service accounts may have weaker passwords that can be brute-forced.

The attacker can take the TGS ticket offline and attempt to crack it, revealing the service account’s password. Once the password is obtained, they can impersonate the service and access or decrypt the service’s data. Unlike Pass-the-Ticket attacks, Kerberoasting does not require administrator rights, does not rely on account lockout policies, and does not generate suspicious network activity, making it more stealthy.

5. Remote Desktop Protocol (RDP)

RDP allows users to remotely control another computer. While this can be a useful tool for legitimate purposes, attackers can also use it to move laterally through a network. Because of the risks inherent in RDP, it should only be used if absolutely necessary and should have strong authentication. You should also regularly monitor your network for unexpected RDP sessions.

6. Server Message Block (SMB) and Windows Management Instrumentation (WMI)

SMB, a network protocol primarily used for providing shared access to files, printers, and serial ports, is often exploited by attackers to move laterally across a network. A critical exploit discovered in SMB, called EternalBlue, was the exploit used in the global-scale WannaCry ransomware attack. Recent versions of SMB address these security vulnerabilities.

WMI is a set of specifications from Microsoft for consolidating the management of devices and applications in a network. WMI, however, can be manipulated by cybercriminals to evade application allowlisting, circumvent host-based security tools, and execute scripts remotely.

SMB (especially older versions or implementations that do not follow security best practices) and WMI provide a potent tool for attackers, enabling them to traverse a network stealthily.

7. SSH Hijacking

This method involves an attacker gaining control over an SSH session, allowing them to execute commands remotely on the target system. It is particularly dangerous because SSH is commonly used to administer systems remotely. An attacker with control over an SSH session can potentially gain the same level of access as the original user.

8. Living off the Land (LotL)

Living off the Land (LotL) is a technique where attackers use built-in tools already available on the target system for their malicious activities. By leveraging legitimate programs and processes, attackers can blend in with regular network traffic, making detection and prevention more challenging.

This technique can involve anything from abusing PowerShell, command-line interface, and administrative tools, to utilizing macros and scripts. It allows attackers to carry out lateral movement by leveraging the tools available on systems they have already compromised.

9. Masquerading and Mimikatz

Masquerading is a lateral movement technique where an attacker impersonates a legitimate user or process to evade detection. This can be done by renaming malicious files or processes to match legitimate ones, or by using stolen credentials to appear as a trusted user.

Mimikatz is a tool often used in masquerading attacks. By extracting plaintext passwords, hash, PIN codes, and Kerberos tickets from memory, Mimikatz allows attackers to impersonate legitimate users and move laterally across a network.

Traditional Lateral Movement Protection and the Need for UEBA

Let’s review how organizations traditionally protected themselves against lateral movement, and the shortcomings of these techniques.

Why Legacy Detections with Rules Are Not Enough

The traditional approach to detecting cyber threats involves the use of rules-based systems. For example, if a user had several failed login attempts in the space of five minutes, an alert would be raised. These types of rule-based alerts are becoming increasingly inadequate against sophisticated lateral movement techniques, because they can only detect specific, known threats. Cybercriminals constantly develop new strategies that can easily bypass these rules.

This is where User and Entity Behavior Analytics (UEBA) comes in. UEBA utilizes machine learning algorithms and statistical analysis to detect abnormal behavior in your network. Instead of relying on predetermined rules, UEBA learns from the behavior of users and entities in the network and raises an alert when it detects anomalies. This makes it capable of detecting both known and unknown threats, providing a more robust defense against lateral movement.

Why Privilege Escalation Matters

Cybercriminals often start by gaining limited access to your network through a set of compromised credentials or single machine vulnerability that led to application or service access. However, to achieve their goals, they often need to gain higher privileges. This process is known as privilege escalation.

Understanding privilege escalation is crucial because it is often the first step in a lateral movement attack. If you can detect and stop privilege escalation, you can prevent the attacker from moving laterally through your network. UEBA technology is critical in preventing privilege escalation, because most types of privilege escalation diverge from the typical activity in a user account. So while they are not clearly malicious (e.g. an administrative user giving another user admin access), it is possible to detect and flag them for further investigation.

Where Can You See the Activity?

Detecting lateral movement activity requires careful monitoring of your network. This includes monitoring both user and system activities. Unusual user activities, such as an internal machine conducting an out-of-character nmap scan, or login attempts at odd hours or from unusual locations, can indicate a potential attack. Unexpected system activities, such as changes in file permissions or system configurations, can also indicate lateral movement.

Advanced threat detection tools can help you monitor these activities. These tools can automatically analyze logs from other detection or system activity monitoring systems to detect suspicious activities. For example, modern security information and event management (SIEM) systems can gather data from across the IT environment and analyze them with UEBA to detect lateral movement early, even if it uses advanced evasive techniques.

Achieving Visibility, Preventing and Mitigating Lateral Movement

Beyond the use of UEBA, here are advanced techniques you can use to prevent lateral movement in your network.

Microsegmentation

Microsegmentation divides a network into multiple isolated segments through containerization or other logical access controls like internal firewalls or web gateways. By doing so, you can limit an attacker’s ability to move laterally across your network. This method limits the blast radius in the event of a breach, ensuring that even if one segment is compromised, the attacker cannot move laterally to other parts of the network.

Endpoint Protection

Endpoint protection involves securing endpoints or entry points of end-user devices such as workstations and mobile devices from being exploited by malicious actors. It typically includes advanced anti-malware software, device firewalls, device control, and other security measures. By securing these entry points, you can prevent attackers from gaining a foothold in your network and moving laterally.

Active Directory Security

Active Directory (AD), whether local or cloud-based, plays a crucial role in network security. It allows administrators to manage and secure identities on a network. With the proliferation of smart devices (and their accompanying service accounts), AD activity is often a key place to notice anomalies and identify attempted privilege escalation. Modern cloud platforms like Azure Active Directory (Azure AD) and Okta AD provide built-in tools for securing identities and identifying anomalies. By properly configuring and securing your AD, you can prevent many lateral movement techniques, such as Pass-the-Hash and Kerberoasting.

Password Rotation and Multi-Factor Authentication

Password rotation is the practice of periodically changing user passwords. This method is used to limit the duration a stolen password is valid, thus potentially thwarting unauthorized access gained through compromised credentials.

Multi-factor authentication (MFA) adds an additional layer of security by requiring users to provide two or more verification factors to gain access to a resource, such as a physical token, a mobile phone verification code, or a fingerprint, in addition to the password. This is highly effective against lateral movement because even if an attacker obtains a password, they still need the second factor to proceed.

Security Orchestration, Automation, and Response (SOAR)

SOAR refers to technologies that help collect security threat data and alerts from different sources, and use both machine and human analysis to triage, investigate, and respond to incidents. SOAR automation enables rapid handling of low-level threats without human intervention. The response component of SOAR allows security teams to respond to threats in real-time, mitigate damages, and prevent attackers from moving laterally.

Lateral Movement Visibility with Exabeam

Exabeam helps security teams outsmart adversaries using lateral movement with the support of automation and use case content across the full analyst threat detection, investigation, and response (TDIR) workflow. First, we prescribe data sources to collect and analyze. Our user and entity behavior analytics (UEBA) then develops a baseline of normal activity for every user and device in an organization. As an adversary begins to move within a network, abnormal activity is identified using pre-built detection rules and models, including mapping to MITRE ATT&CK framework techniques associated with lateral movement. This activity is flagged and added to the user or entity’s risk score.

Risk scores and watchlists help security teams focus on the riskiest incidents, while Exabeam Smart Timelines automatically display the full attack chain to dramatically accelerate incident investigations. Exabeam response playbooks enable analysts to quickly and effectively remediate incidents and reduce mean time to respond (MTTR).

Learn more:

Explore lateral movement and Exabeam.

Learn more about lateral movement and Exabeam

9 Lateral Movement Techniques and Defending Your Network (2024)
Top Articles
Wells Fargo says missing deposits glitch is resolved | CNN Business
Natural Resources - Definition, Types & Examples (Free PDF Download)
Walmart Sedona Az
Why Is 365 Market Troy Mi On My Bank Statement
Doddridge County Cad Log
R/Latterdaysaints
Nayapadkar Today News
Breckie Hill Fapello
Stanley Steemer Medford Oregon
P.o. Box 3002 Phoenixville Pa 19460
Ultima Online Outlands Map
Massagefinder Female
Aes Salt Lake City Showdown
Dr Manish Patel Mooresville Nc
Elemental Showtimes Near Sedaliamovies
Risk Of Rain 2: 12 Best Mods
Login.northlane.com Balance
Kfvs12 Weather Radar Near Poplar Bluff Mo
Vermont Free Stuff Craigslist
Pizza Hut Express, 3308 N Dinuba Blvd, Visalia, CA 93291, US - MapQuest
Unity Webgl Car Tag
Divina Rapsing
What To Expect When Moving With a U-Haul Trailer (2024)
Safety Jackpot Login
Behind the Idea: OpenPayd | The Fintech Times
How to Use Mudae Bot Discord [ Mudae bot commands Guide ]
Craiglist Quad Cities
Wat Prasri Chicago
Accident Randall Road Today
Unlv 2024 Schedule
Wenig Kooperation mit AfD auf kommunaler Ebene in Ostdeutschland
2487872771
St. John’s Co-Cathedral: Visiting the gem of Valletta
Sams La Habra Gas Price
Papa Johns Mear Me
Artmusekitsmikash Rtic Divider/Cutting Board For 65 Gallon Rtic Coolers
What Time Does Sam's Club Gas Close Today
Gelato 47 Allbud
Understanding North Star Metrics | Planio
X Abused Reader
Https Ltsrvext Lowes Com Lowesmobile
2008 DODGE RAM diesel for sale - Gladstone, OR - craigslist
Sarah Colman-Livengood Park Raytown Photos
Craigslist Murfreesboro Pets
Mnps Payroll Calendar 2022-23
Keyc Tv Weather Radar
Slmd Skincare Appointment
Craigslist Louisiana Cars And Trucks - By Owner
Craiglist Okaloosa
2660 Woodbridge Avenue Edison Nj
The Ultimate Renaissance Quiz: Test Your Knowledge of Europe‘s Golden Age - History Tools
Latest Posts
How to pay off your credit card: 8 ways to reduce interest charges | Ratehub.ca
Mitigating the Impacts of Aviation (U.S. National Park Service)
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 5558

Rating: 4.6 / 5 (46 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.