After the initial host compromise, malicious actors attempt to move laterally within the compromised organization and focus their efforts on internal reconnaissance, credential harvesting and attack of internal system. It is common that built-in tools are used during this step in order to avoid detection, because tools like Microsoft’s PowerShell and WMI are white-listed and their activity is often not part of the security log review process . The avoidance of detection on the network is a key aspect of long term, persistent campaigns.
One of the most common approaches to move laterally is credential harvesting. It starts within the initially compromised machine and continues across the network. Attackers usually try to extract network credentials via multiple ways, such as searching for files that store credentials, key-logging, memory dumps, etc. Once credentials are obtained, they are used to access other systems on the target’s infrastructure where the procedure can be repeated until the end goal is reached. Another way to spread through the network is by exploiting unpatched systems. In this case network is probed for vulnerable systems which are then exploited. This approach is less common than credential harvesting due to higher likelihood that the systems are patched or the lack of Zero-Day exploits in APT’s arsenal which would apply to the environment being exploited.