Lateral Movement

After the initial host compromise, malicious actors attempt to move laterally within the compromised organization and focus their efforts on internal reconnaissance, credential harvesting and attack of internal system. It is common that built-in tools are used during this step in order to avoid detection, because tools like Microsoft’s PowerShell and WMI are white-listed and their activity is often not part of the security log review process [1]. The avoidance of detection on the network is a key aspect of long term, persistent campaigns.

One of the most common approaches to move laterally is credential harvesting. It starts within the initially compromised machine and continues across the network. Attackers usually try to extract network credentials via multiple ways, such as searching for files that store credentials, key-logging, memory dumps, etc. Once credentials are obtained, they are used to access other systems on the target’s infrastructure where the procedure can be repeated until the end goal is reached. Another way to spread through the network is by exploiting unpatched systems. In this case network is probed for vulnerable systems which are then exploited. This approach is less common than credential harvesting due to higher likelihood that the systems are patched or the lack of Zero-Day exploits in APT’s arsenal which would apply to the environment being exploited.

Lateral Movement Techniques

It is often the case that the initially compromised computer is not the final target. In such a case, attackers attempt to move through the infrastructure of the target’s organization to gain more access across the network in order to find the system where the information they seek resides. While there are multiple ways of moving across the network of the target’s organization it usually starts with credential harvesting and network enumeration then continues with jumping to other systems and repeating the cycle until the final destination is reached.

Credential harvesting

It’s a common practice across the PC users to store their login credentials in browsers. Attackers usually embed credential harvesting modules in their malware in order to take advantage of this browser feature. A quick example of this credential harvesting from a Chrome web browser is shown in Figure 1.

Figure 1: Credential harvesting from a Chrome web browser

Another way to harvest user’s credentials is to use a key logger. It’s also a common feature of malware which is used by APT actors during their campaigns. To illustrate such an approach one could use a built-in key-logging module in meterpreter’s RAT. An example of such an activity is shown in Figure 2.

Figure 2: Credential harvesting via key-logging

While the previous approaches can be executed from the limited user’s context, it’s not always the case that the credentials are stored in the web browser or that the user happens to be typing his credentials during the day. Therefore, a previously successfully conducted privilege escalation attack allows an attacker to obtain user’s credentials from the memory, often in plain-text. For such a purpose a variation of a well-known tool mimikatz is usually used. An example of such an attack can be performed by using the creds_all command from a kiwi module (see Figure 3).

Figure 3: Credential harvesting from the memory

Network fingerprinting

Once enough credentials are obtained by the attacker, the network fingerprinting is performed. In order to perform an efficient reconnaissance of the target’s network advanced attackers usually rely on native tools or scripts allowing them to stay under radar. An example of such a tool is a Powershell script PowerView from the PowerSploit’s toolkit. It allows, for example, quick identification of network systems where the current user has local administrator’s access. As shown in Figure 4, the current user was found to have local administrator’s privileges on NODE4.contoso.com.

Figure 4: Enumerating local admin privileges of the current user on remote systems

Another powerful feature of this script is the ability to find systems where certain users are currently logged in. This is important for attackers in order to focus their attacks on specific systems and thus reducing noise while trying to break into arbitrary systems. An example of such an activity is shown in Figure 5.

Figure 5: Hunting for open sessions of highly privileged Domain accounts

In this scenario, a user of the Domain Admins’ group, the most privileged group in Windows domain environment, is logged into a system NODE4 where the compromised user has local administrator’s privileges. This allows the attacker to use credentials of the current user to move laterally to that machine. An example of such an activity can be performed with psexec module as shown in Figure 6.

Figure 6: Moving laterally to another system with previously collected credentials

By executing the commands via the psexec approach the payload which gets delivered to the remote system is launched under system privileges and establishes a command and control channel to the attacker’s server. This allows an attacker to extract user credentials form the memory in the same way as shown before and therefore obtain plain-text credentials of a Domain Admin’s account (see Figure 7).

Figure 7: Domain administrator’s password retrieval from memory on NODE4

Having credentials of a user who is in a Domain Admins’ group usually means that an access to all systems within the Windows Domain is gained. Therefore, the attacker can now freely move across all the network in order to find sensitive information. For example, it’s now possible for an attacker to jump to a FILE_SERVER machine and have full access to the system (see Figure 8).

Figure 8: System level access gained on FILE_SERVER via psexec with Domain Administrator’s credentials

The provided examples mainly focus on Windows environment as it’s the most common platform in nowadays enterprises. However, there are cases where the IT environment is mixed, having Windows, Linux and Unix based systems. In such a case attackers try to harvest SSH credentials via keylogging or stealing private keys from file systems which they were able to compromise. In cases when the authentication is centralized via AD and LDAP attackers target those authentication servers in order to extract or tamper login data. Additionally, for certain air-gapped networks VPN credentials are also collected throughout the campaign in order to reach systems which are disconnected from the network and managed through secure VPN connections in the local network.

Real World Example: APT28

In order to collect necessary artifacts for lateral movement, APT28 tries to take advantage of a common software feature which allows users to store login credentials. Additionally, a key-logging module is used in order to intercept other login credentials. The credential harvester is designed to collect credentials from certain applications, including web browsers and email software. Once the credentials are collected, attackers are able to use them in order to access other internal or external systems and attempt to exploit those systems for further lateral movement or asset discovery. In one case, a credential harvesting module called OLDBAIT was installed at %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe. This module was designed to steal login credentials from web browsers, such as Internet Explorer and Firefox, and e-mail software, such as Eudora, The Bat! and Becky! [2]. In addition to OLDBAIT, APT28 used known password extraction tools such as Mimikatz or SecurityXploded toolkit [3]. It is worth mentioning, that while the Mimikatz tool is capable of extracting credentials, it is also capable of performing the Pass-The-hash attack which is a common technique used for lateral movement. The workflow of credential collection and usage for lateral movement is summarized in the following table.

Table 1: APT28’s lateral movement via credential hijacking
Procedure	Tactic	Technique
1	Installs credential harvester on the victim’s machine.	Module deployment
1	%ALLUSERPROFILE%\\Application Data\Microsoft\MediaPlayer\updatewindws.exe	Module deployment
2	Collects credentials from specified applications.	Credential harvesting
2	Internet Explorer, Mozilla Firefox, Eudora, The Bat!, Beck!	Credential harvesting
3	Collected credentials are exfiltrated	HTTP or SMTP
4	Obtained credentials are used to access web services, such as email.	Account hijacking

Finally, EVILTOSS, one of the tools in APT28’s arsenal, was identified to contain capabilities which are useful in the lateral movement phase. Once this backdoor is installed though the initial Downloader (SOURFACE), it has the ability to enumerate network resources, log keystrokes, access stored credentials and execute shellcode [2]. It’s worth mentioning that certain modules in APT28’s kit have the capabilities to infiltrate air-gapped networks allowing attackers to reach systems which potentially store sensitive information [4].

Real World Example: APT30

In order to move laterally, APT30 malware components are designed to replicate through removable drives. As concluded by FireEye, the malware component SHIPSHAPE allows propagation and exfiltration of data over removable drives and may have been used to infiltrate air-gapped networks. In order to achieve this, SHIPSHAPE modifies the contents of the removable drive by hiding the original documents and copying executable files to the folder with the same name as the original documents. Moreover, SHIPSHAPE abuses the autorun.inf file in a special way which allows the malware to transmit newer versions of the malware [5]. Additionally, while the malware was not identified to provide other predefined features for lateral movement, generic features of uploading and execution of additional files indicate that the threat actor can extend the capabilities on demand in order to load additional modules allowing to intercept keystrokes, dump stored credentials, etc.

A detailed information of lateral movement performed by SHIPSHAPE component is provided in the following table.

Table 2: Lateral movement performed by SHIPSHAPE component
Procedure	Tactic	Technique
1	Searches for fixed and removable drives on the infected machine.	Removable drive discovery
2	Checks a removable drive that is inserted into the infected computer for existing files and folders.	File harvesting
2	Targeted file types are specified within the sample.	File harvesting
3	Marks discovered files and folders on the removable drive as hidden.	File cloaking
4	Copies executable files that resemble the SPACESHIP variant to the removable drive and renames these executables using the same names as the hidden files & folders, with an .exe extension	Local file copy
	A file named MyDocument.doc becomes MyDocument.doc.exe.
	Copies a file (KB936891-doc.log) from the computer infected with SHIPSHAPE to the drive. This file is used as a configuration pattern to identify interesting files.
	Copies a file (KB925273-dir.log) from the computer infected with SHIPSHAPE to the drive. This file is used as a configuration pattern to identify interesting directories.
5	To make malicious executables appear to be the original documents, SHIPSHAPE modifies the host settings to hide file extensions.	Registry modification
5	SHIPSHAPE sets the following registry values in order to hide both hidden files and file extensions: HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutoRun = 0x9f HKCU\…\Explorer\Advanced\Hidden = 0x02 HKCU\…\Explorer\Advanced\HideFileExt = 0x01 HKLM\…\Explorer\Advanced\Folder\Hidden\SHOWALL\ CheckedValue = 0x00 HKLM\…\Explorer\Advanced\Folder\HideFileExt\CheckedValue= 0xffffffff	Registry modification
6	When a user attempts to open a document from the infected removable drive, he would execute a copy of the SPACESHIP malware instead.	SE / Process creation

References

1. Trend Micro. (2013). Lateral Movement: How Do Threat Actors Move Deeper Into Your Network?
http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/tlp_lateral_movement.pdf

2. FireEye, Inc. (2014). APT28: A Window int Russia’s Cyber Espionage Operations?
https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf

3. Joan Calvet, J. C. (2016, June).
https://www.welivesecurity.com/wp-content/uploads/2016/06/visiting_the_bear_den_recon_2016_calvet_campos_dupuy-1.pdf

4. Calvet, J. (2014, November 11).
http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/

5. Fireeye Labs. (2015). APT30 and the mechanics of a long-running cyber espionage operation.
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Intro

Stages of APT