Techniques

Lateral Movement is a key phase in the cyber attack lifecycle, where an adversary seeks to expand their foothold within a target network. After establishing initial access, attackers aim to move through the network environment to locate and gain control over additional systems, ultimately working toward their primary objective, whether it be data exfiltration, persistence establishment, or further exploitation. Lateral Movement is critical for attackers to explore the network, identify valuable assets, and escalate their privileges, all while attempting to maintain stealth and avoid detection.

Remote Desktop Protocol

The use of Remote Desktop Protocol (RDP) for lateral movement is a technique employed by adversaries to extend their reach within a network after gaining initial access. RDP, a proprietary protocol developed by Microsoft, provides a graphical interface for connecting to another computer over a network connection. While it's a valuable tool for remote administration and access, in the hands of an adversary, RDP can become a powerful mechanism for expanding unauthorized access across a network.

Lateral Movement via RDP

Here’s how adversaries leverage RDP for lateral movement:

  1. Initial Access and Credential Acquisition: The process often begins with the attacker obtaining credentials through various means such as phishing, credential dumping, or exploiting weak passwords. Once inside the network, discovering systems where RDP is enabled becomes a priority.

  2. Enumeration and Target Identification: Adversaries may use network scanning and enumeration tools to identify systems with RDP ports open, typically TCP port 3389, and to determine which accounts have access to these systems. Tools like Nmap, or PowerShell scripts, can automate this discovery process.

  3. Exploiting RDP for Movement: With valid credentials, attackers can initiate RDP sessions to target systems. This allows them to operate as if they were legitimate users of the system, running commands, accessing data, and deploying tools without being physically present at the machine.

  4. Pass-the-Hash (PtH) and Credential Use: In scenarios where plaintext credentials are not available, attackers might use techniques like Pass-the-Hash to authenticate to systems via RDP using the hash values of user passwords. This technique bypasses the need for actual passwords, facilitating unauthorized access.

  5. Creating Backdoors: Once connected to a new host via RDP, adversaries can create backdoors by adding new accounts or enabling alternate access methods, ensuring they can return to the compromised system at will.

  6. Mimicking Legitimate Use: The use of RDP can often blend in with normal administrative activities, making it more challenging for defenders to detect unauthorized access. Attackers exploit this by performing actions that do not deviate significantly from typical user behavior on the network.

  7. Privilege Escalation and Further Exploitation: After gaining access to a system via RDP, attackers can explore ways to escalate their privileges or exploit vulnerabilities within the system to deepen their foothold or access sensitive information.

  8. Lateral Movement as a Stepping Stone: Each system compromised via RDP can serve as a new base for launching additional attacks, allowing the adversary to methodically move through the network in search of high-value targets.

Operational Implications

The use of RDP for lateral movement has significant operational implications for adversaries. It allows them to efficiently expand their control over additional systems, potentially bypassing physical and logical barriers that would otherwise limit their reach within the network. Moreover, by leveraging legitimate credentials and blending in with normal traffic, adversaries can maintain a low profile, reducing the likelihood of detection as they navigate through the network.

The strategic use of RDP by adversaries underscores the importance of securing RDP access within networks and highlights the challenges organizations face in detecting and responding to sophisticated lateral movement techniques.

Server Message Block (SMB)

The Server Message Block (SMB) protocol is a critical component of Windows networked environments, enabling systems to share access to files, printers, and serial ports. While SMB plays a pivotal role in facilitating resource sharing and communication across devices on a network or domain, it also presents an attractive target for adversaries seeking to move laterally within an organization's infrastructure.

Exploitation of SMB for Lateral Movement

Adversaries exploit SMB for lateral movement by leveraging valid accounts, particularly those with administrator-level privileges, to interact with remote network shares. Here's how this technique typically unfolds:

  1. Valid Accounts: The attack begins with the adversary obtaining credentials for valid accounts, ideally those with administrative privileges. These credentials can be acquired through various means, including phishing attacks, credential dumping, exploiting weak passwords, or reusing credentials obtained from previous breaches.

  2. Discovery of Network Shares: With valid credentials in hand, adversaries use SMB to enumerate accessible network shares on targeted systems. This discovery process may involve scanning for open SMB ports (typically TCP ports 139 and 445) and identifying shared resources that are available for connection.

  3. Accessing Hidden Network Shares: Windows systems often have hidden network shares (e.g., C$, ADMIN$, IPC$) that are intended for administrative use. These shares are not visible through standard file browsing but can be accessed directly via SMB if one knows the share name and has the necessary permissions. Adversaries exploit these hidden shares to access file systems on remote machines.

  4. File Transfer and Remote Execution: Once access to a network share has been established, adversaries can use SMB to transfer files between systems. This capability is particularly useful for deploying malware, tools, or scripts that further the attacker's objectives. In addition, adversaries may leverage SMB in conjunction with other techniques, such as Windows Management Instrumentation (WMI) or PowerShell remoting, to execute these transferred binaries remotely.

  5. Interacting with Systems Using RPC: SMB can also facilitate interaction with systems using Remote Procedure Calls (RPCs). This allows adversaries to perform actions on remote systems, such as querying system information, executing code, or manipulating services and processes, all of which can aid in lateral movement and privilege escalation.

Operational Implications

The use of SMB for lateral movement enables adversaries to stealthily navigate a network, access critical resources, and execute commands with the privileges of the compromised accounts. This technique is particularly effective in environments where SMB traffic is common and expected, allowing malicious activities to blend in with legitimate network communications.

By leveraging SMB and valid accounts, adversaries can achieve several objectives, including data exfiltration, spreading ransomware, establishing persistence, and compromising high-value targets within the network. The ability to move laterally and execute code remotely gives attackers a significant advantage, enabling them to maintain a presence within the network and advance their attack without direct physical access to each target system.

This exploitation of SMB underscores the importance of securing network shares, implementing robust access controls, and monitoring SMB traffic for signs of malicious activity. Organizations must remain vigilant against the misuse of SMB and other network protocols to protect against lateral movement and the potential consequences of widespread network compromise.

Exploitation of Remote Services

Exploiting remote services for lateral movement is a technique widely used by adversaries to navigate through a network after gaining initial access. This approach targets services that are accessible over the network, allowing attackers to extend their reach from a compromised host to other internal systems, including both servers and endpoint devices. Remote services encompass a broad range of functionalities, including file sharing, remote desktop access, system management protocols, and various other network services that can be used for legitimate administrative purposes or exploited for malicious activities.

Key Aspects of Lateral Movement via Remote Services

  1. Initial Compromise and Credential Acquisition: The process typically starts with the attacker gaining initial access to a single system within the network. Following this, they may use various techniques to obtain credentials needed to authenticate to remote services on other systems. These methods can include phishing, credential dumping, keylogging, or exploiting weak or default passwords.

  2. Discovery of Remote Services: With credentials in hand, attackers often perform discovery activities to identify available remote services across the network. Tools like Nmap, Nessus, or custom scripts can be used to scan the network for open ports and services such as SMB, SSH, RDP, SQL servers, and others that might be accessible and exploitable.

  3. Exploitation of Vulnerable Services: Once potential targets are identified, adversaries attempt to exploit these remote services. This could involve using known vulnerabilities, misconfigurations, or simply authenticating with stolen credentials. The goal is to gain unauthorized access, execute commands, or deploy malicious payloads on the target system.

  4. Privilege Escalation and Further Lateral Movement: After successfully compromising additional systems via remote services, attackers may seek to escalate their privileges to gain higher levels of access. This enables them to install more sophisticated tools, access sensitive data, or move laterally to other high-value targets within the network.

  5. Use of Remote Services for Data Exfiltration and Command Execution: Beyond lateral movement, remote services can also be exploited for executing commands remotely, maintaining persistence, and exfiltrating data. Protocols like FTP, SCP, or even RDP and SMB can be misused to transfer data out of the network.

Operational Implications

The exploitation of remote services for lateral movement allows attackers to systematically explore and compromise a network, moving from less critical endpoint devices to high-value servers that store sensitive information or provide critical infrastructure services. This process can be stealthy and difficult to detect, especially if the attacker uses legitimate credentials and blends their activities with normal network traffic.

Remote service exploitation often indicates a lack of segmentation within the network, inadequate monitoring of network services, or insufficient access controls. An attacker's ability to move freely across the network exploiting remote services points to potential weaknesses in network design, endpoint protection, and incident response capabilities.

Lateral movement via remote services poses significant risks to organizations, as it can lead to widespread network compromise, data breaches, and persistent threats that are challenging to eradicate. Understanding the methods used by adversaries to exploit these services is crucial for developing effective defenses, including network segmentation, robust authentication mechanisms, regular patching of vulnerabilities, and comprehensive monitoring of network activity for signs of malicious behavior.

Replication via Removable Media

The use of removable media for lateral movement represents a classic yet still effective method for adversaries to spread malware across networks, including those that are air-gapped or otherwise physically isolated. This technique exploits the convenience and portability of devices like USB flash drives, external hard drives, CDs, and DVDs to bridge gaps between disconnected systems. By leveraging features like Autorun or crafting enticing filenames, attackers encourage the execution of malicious code when the media is used.

Mechanisms of Lateral Movement via Removable Media

  1. Initial Compromise and Preparation: The process often begins with the adversary gaining access to at least one system where they can prepare the removable media. This may involve directly infecting a device with malware or using social engineering tactics to convince a user to initiate the transfer unknowingly.

  2. Autorun Features: Historically, one of the most straightforward methods involved leveraging the Autorun feature in Windows, which automatically executes specified instructions when new media is detected. Although modern versions of Windows have restrictions to mitigate this risk, attackers may still find ways to exploit similar functionalities or trick users into manually executing malicious software.

  3. Crafting Enticing Filenames: By naming files in a manner that encourages curiosity or urgency (e.g., "Confidential", "Salary Information", "Use First"), adversaries increase the likelihood that a user will execute them. This tactic relies on social engineering as much as technical exploitation.

  4. Modification of Media: More sophisticated attacks might involve the modification of the media's firmware or the systems used to initially format the media. These alterations can make the malicious activities harder to detect and remove, as the malware can be embedded at a level that standard security scans do not reach.

  5. Crossing Air Gaps: Removable media is particularly effective for penetrating air-gapped networks, which are disconnected from the internet for security reasons. Insiders or unwitting carriers can introduce malware into these secure environments simply by plugging in an infected device.

  6. Manual Manipulation: In some cases, adversaries may rely on human operators to move the infected media between systems actively. This manual manipulation can be part of a targeted attack where specific systems or networks are the focus.

Operational Implications

The exploitation of removable media for lateral movement has significant operational implications:

  • Bypassing Network Defenses: Removable media can circumvent network-based security measures by delivering malware directly to the endpoint, making it a potent vector for initial access and lateral movement.

  • Targeting Secure Environments: Systems that are otherwise hard to reach due to network segmentation or air gaps become accessible through physical means.

  • Exploiting Trust: This method exploits the trust users place in physical media, especially within environments where sharing via such means is common practice.

  • Persistence and Stealth: Malware introduced via removable media can be designed to remain dormant, only activating under specific conditions or after a delay, making detection and response more challenging.

The reliance on removable media for lateral movement underscores the need for comprehensive security policies that include physical security controls, user education on the risks associated with unknown or unsolicited media, and technical measures like disabling Autorun features, regularly scanning removable devices for malware, and restricting the use of removable media to only necessary cases. Additionally, maintaining strict access controls and monitoring for unusual activity on systems where removable media are used can help mitigate the risk posed by this lateral movement technique.

Lateral Tool Transfer

Lateral tool transfer is a technique used by adversaries to spread their capabilities across a compromised network. This method involves the distribution of malware, utilities, scripts, or other files that facilitate further exploitation, command and control, or data exfiltration activities. By moving these tools between systems, attackers can execute a range of actions on multiple targets, leveraging the interconnected nature of modern networks to their advantage.

Techniques for Lateral Tool Transfer

  1. File Sharing Over SMB/Windows Admin Shares: One common method involves using the Server Message Block (SMB) protocol or Windows administrative shares (like C$, ADMIN$, IPC$) to move files between systems. These mechanisms are often used legitimately for file sharing and system administration, making them ideal for stealthy lateral movement.

  2. Authenticated Connections via Remote Desktop Protocol (RDP): RDP can also be used to transfer files between systems. Once an adversary has authenticated to a remote desktop session, they can use the clipboard or mapped drives to copy files from one system to another.

  3. Using Native Tools: Tools already present on the victim's system, such as scp (secure copy), rsync, curl, sftp, and ftp, offer another avenue for file transfer. These commands can be used to move files across systems within the same network or even to and from external servers under the attacker's control.

  4. Leveraging Web Services: Cloud storage services like Dropbox or OneDrive can be abused for lateral tool transfer. By uploading tools to a shared, automatically synced folder, adversaries can ensure that their files are distributed to any system connected to that folder. This method can be particularly effective in environments where such services are used for legitimate business purposes.

Operational Implications

The ability to transfer tools laterally within a network allows adversaries to maintain a low profile while maximizing their reach and impact. This capability is crucial for conducting widespread espionage, sabotage, or ransomware campaigns. It enables attackers to:

  • Spread Malware: Distribute malware payloads to multiple targets, increasing the number of compromised systems and the potential for damage.

  • Execute Commands Remotely: Move utilities and scripts that facilitate remote command execution, helping to maintain control over compromised systems.

  • Exfiltrate Data: Transfer data-gathering tools to sensitive systems, enabling large-scale data theft.

  • Establish Persistence: Deploy tools and files that help in maintaining access to the compromised environment over time.

VNC

Virtual Network Computing (VNC) is a popular tool for remote desktop sharing and control, facilitating a wide range of legitimate administrative tasks across various platforms. However, its capabilities also make it an attractive vector for adversaries seeking to move laterally within a compromised environment. By exploiting VNC, attackers can extend their reach across the network, executing actions with the privileges of the logged-on user and potentially escalating their access to sensitive systems and data.

How Adversaries Use VNC for Lateral Movement

  1. Initial Compromise and VNC Installation: Attackers may start by installing VNC on a compromised system if it is not already present. This could be achieved through various means, such as leveraging existing vulnerabilities, using phishing techniques to gain initial access, or exploiting weak passwords to install VNC software surreptitiously.

  2. Exploiting Default or Weak Credentials: VNC installations, especially those set up without security best practices in mind, may use default credentials or weak passwords. Adversaries can exploit these to gain unauthorized access to the VNC server, allowing them to control the system remotely.

  3. Port Scanning and Service Identification: To find potential targets within the network, attackers may conduct port scans to identify systems with open VNC ports (typically 5900 and related ports). Once identified, these systems can be targeted for exploitation.

  4. Session Hijacking: In some cases, adversaries might hijack existing VNC sessions. This could involve intercepting VNC traffic on the network if the connection is not properly secured (e.g., not using encryption options like VNC over SSH or a secure tunnel).

  5. Monitoring and Controlling Target Systems: With access to a system via VNC, adversaries can perform a variety of malicious actions as the logged-on user. This includes opening documents, downloading files, running arbitrary commands, and even installing additional tools or malware to further their objectives.

  6. Data Collection and Pivoting: Beyond immediate lateral movement, control over a system via VNC allows attackers to collect sensitive information, monitor user activities, and potentially pivot to other systems within the network using gathered credentials or exploiting trust relationships.

Operational Implications

The misuse of VNC for lateral movement has several implications for network security:

  • Breach of Confidentiality: Unauthorized access to systems via VNC can lead to the exposure of sensitive information.

  • Integrity and Availability Concerns: Attackers can modify system settings, delete files, or disrupt operations, impacting both the integrity and availability of systems and data.

  • Expansion of Compromise: Control over one system can facilitate the spread of the compromise to additional systems, increasing the scale and impact of the breach.

Taint Shared Content

Tainting shared content represents a method by which adversaries exploit the trust and collaboration mechanisms inherent in networked environments to facilitate lateral movement. This technique involves the deliberate placement of malicious code or payloads into files or resources that are stored in locations accessible to multiple users, such as network drives, shared folders, or internal code repositories. The goal is to leverage these shared resources to execute code on remote systems across the network, thereby expanding the attacker's footprint within the compromised environment.

Mechanisms of Tainting Shared Content for Lateral Movement

  1. Compromise of Shared Network Drives: Attackers may upload or modify files on network drives with malicious content. When unsuspecting users access these files, the embedded code is executed, compromising the user's system.

  2. Manipulation of Shared Folders: Similar to network drives, shared folders on systems within a network can be targeted. These folders often contain scripts, tools, or documents used by multiple users, making them prime targets for tainting.

  3. Injection into Code Repositories: In environments where software development takes place, internal code repositories can be tainted with malicious code. This could be in the form of a backdoor, a malicious library, or modified source code. When other developers pull the tainted code and compile or run it, their systems become compromised.

  4. Exploiting File Synchronization Services: Cloud-based file synchronization services (e.g., Dropbox, Google Drive) used within organizations for collaboration might be exploited by adding or modifying files with malicious content. As files synchronize across the network, the malware spreads to other systems.

  5. Abuse of Document Features: Office documents, PDFs, or other commonly shared file types can be weaponized with macros, scripts, or exploits that execute when the document is opened. By placing these tainted documents in shared locations, attackers can target multiple users.

Operational Implications

The use of tainted shared content for lateral movement carries several operational implications:

  • Wide Reach and Stealth: This technique can target multiple users simultaneously without raising immediate suspicion, as the malicious activity originates from trusted, internal sources.

  • Bypassing Security Perimeters: Since the tainted content is already within the network perimeter, traditional security measures focused on border defense may be ineffective at detecting or preventing the execution of the malicious code.

  • Data Compromise and Espionage: Successful execution of tainted content can lead to data breaches, intellectual property theft, or espionage activities as attackers gain access to sensitive information.

  • System and Network Compromise: Beyond initial execution, tainted content can serve as a foothold for further exploitation, allowing attackers to deploy additional payloads, escalate privileges, or move laterally to other systems.

Pass the Hash

Pass the Hash (PtH) is a post-exploitation technique that allows attackers to move laterally within a network without needing to know the actual plaintext passwords of compromised accounts. Instead, they use the hashed versions of these passwords, which are often stored within a system's memory or on disk. This technique is particularly effective in Windows environments that rely on the NTLM or LanMan authentication protocols.

How Pass the Hash Works for Lateral Movement

Obtaining Hashes: Attackers initially gain a foothold on a system, often through phishing, exploiting vulnerabilities, or social engineering. Once inside, they use various tools and techniques to extract password hashes from the compromised machine's memory (e.g., using Mimikatz) or from password storage locations (e.g., the Security Accounts Manager (SAM) database or the Local Security Authority Subsystem Service (LSASS) process).

Impersonating Users: Armed with these stolen hashes, attackers can then use tools like Mimikatz or Metasploit's psexec module to impersonate the users associated with the hashes. This allows them to authenticate to other systems on the network without ever knowing the actual passwords.

Lateral Movement: Now "wearing the mask" of a legitimate user, attackers can move laterally across the network, accessing shared folders, network resources, and even other machines. They can continue to extract hashes from these newly compromised systems, effectively hopping from one machine to another.

Why Pass the Hash is Effective for Lateral Movement

  • Stealth: PtH attacks are often difficult to detect because they don't involve typical login attempts with plaintext passwords. Security logs might show successful logins, but without the use of actual passwords.

  • No Password Cracking Required: Attackers don't need to crack the hashes to use them. They can simply pass the hash directly to the authentication system.

  • Leverages Existing Trust: By impersonating legitimate users, attackers can bypass access controls and leverage the trust relationships already established within the network.

  • Weak Default Configurations: Many Windows systems are configured to accept NTLM authentication, which is susceptible to PtH attacks.

Windows Remote Management

Windows Remote Management (WinRM) is a powerful feature built into Windows operating systems that provides a standardized way for computers to communicate and interact with each other over a network. It is based on the WS-Management protocol and enables remote management of hardware, operating systems, and applications. While WinRM is designed to facilitate legitimate administrative tasks, its capabilities can also be exploited by adversaries for lateral movement within a compromised network.

Exploitation of WinRM for Lateral Movement

Adversaries may leverage WinRM to execute commands or scripts remotely on other Windows machines within the network, allowing them to spread their reach beyond the initially compromised host. Here's how they might exploit WinRM for lateral movement:

  1. Initial Compromise and Credential Access: The adversary first needs to compromise one machine in the network and obtain credentials that have the necessary permissions to utilize WinRM on other systems. This often involves stealing credentials through techniques like phishing, keylogging, or exploiting other vulnerabilities.

  2. Enumeration and Target Identification: With credentials in hand, the attacker can enumerate other systems within the network where WinRM is enabled and accessible. Tools like PowerShell, specifically the Test-WSMan cmdlet, can help in identifying potential targets by checking for WinRM availability.

  3. Remote Command Execution: Once a target is identified, the adversary can use WinRM to execute commands remotely. This could involve running malicious scripts, manipulating services, modifying the registry, or deploying additional payloads. PowerShell, for instance, can be used to initiate a remote session via Enter-PSSession or Invoke-Command cmdlets, enabling execution of PowerShell commands or scripts on the remote system.

  4. Privilege Escalation and Persistence: By moving laterally using WinRM, attackers can attempt to escalate their privileges on the newly compromised hosts. They might deploy tools or scripts that exploit vulnerabilities or misconfigurations to gain higher privileges. Additionally, they could establish persistence mechanisms through registry modifications or scheduled tasks to maintain access even after the initial entry points are discovered and closed.

  5. Data Exfiltration and Further Lateral Movement: With control over multiple systems, adversaries can gather sensitive data, exfiltrate it, and continue to move laterally across the network to compromise additional systems, aiming to reach high-value targets.

Internal Spearphishing

Internal spearphishing represents a sophisticated attack vector where adversaries, having already gained a foothold within an organization's network, use compromised internal accounts to target other members of the same organization. This method exploits the inherent trust between colleagues to bypass awareness and skepticism typically present with external communications. By leveraging access to one or more internal accounts, attackers can craft convincing spearphishing emails aimed at moving laterally within the network, gaining access to additional resources, or escalating their privileges.

Execution of Internal Spearphishing for Lateral Movement

  1. Initial Compromise: The attack begins with an initial compromise, where the adversary gains unauthorized access to the organization's network. This could be achieved through various means such as exploiting vulnerabilities, credential theft, or successful external phishing campaigns.

  2. Account Takeover: After establishing a foothold, the attacker targets specific internal accounts for takeover. This could involve installing malware on the user’s device to gain control or using stolen credentials to access the user's email account directly.

  3. Reconnaissance: With access to an internal account, the attacker conducts reconnaissance within the organization to identify potential targets for lateral movement. This includes gathering information on organizational structure, ongoing projects, and internal communication patterns to craft credible spearphishing messages.

  4. Crafting Spearphishing Emails: Leveraging the compromised account, the attacker creates and sends spearphishing emails to targeted individuals or groups within the organization. These emails are designed to mimic legitimate internal communications, often requesting sensitive information, urging the recipient to click on malicious links, or instructing them to perform actions that would compromise their systems.

  5. Exploiting Trust: Since the emails come from a known and trusted internal source, recipients are more likely to comply with the requests, leading to further compromises. This could include divulging credentials, executing malicious code, or unwittingly providing access to restricted parts of the network.

  6. Lateral Movement and Privilege Escalation: Successful internal spearphishing allows the attacker to move laterally within the organization, compromising additional accounts and systems. With each successful compromise, the attacker can escalate their privileges, gaining access to increasingly sensitive information or critical infrastructure.

Application Access Tokens

Application Access Tokens are like digital keys that grant applications specific permissions to access resources, systems, or services on behalf of a user or another application. These tokens are often issued by authentication servers after successful logins and are designed to streamline access without requiring repeated credential input. However, adversaries can exploit these tokens to move laterally within a network, gaining unauthorized access to sensitive resources.

How Attackers Leverage Application Access Tokens for Lateral Movement

Token Theft: The first step involves obtaining valid access tokens. This can be achieved through various means:

  • Phishing or Social Engineering: Tricking users into clicking malicious links or downloading malware that can harvest tokens.

  • Man-in-the-Middle Attacks: Intercepting network traffic to capture tokens as they are exchanged between applications and authentication servers.

  • Exploiting Vulnerabilities: Leveraging security flaws in applications or authentication systems to steal tokens.

  • Credential Theft: Stealing user credentials (usernames/passwords) that can be used to request new access tokens.

Token Impersonation: Once an attacker has obtained a valid access token, they can impersonate the legitimate user or application associated with that token. This allows them to access resources and systems that the original user or application was authorized to use.

Lateral Movement: Armed with impersonated access, attackers can move laterally across the network, hopping from one system to another, while remaining undetected by traditional security measures that rely on user credentials.

  • Accessing Network Shares: Attackers can access shared network folders or drives to which the legitimate user had access.

  • Executing Commands Remotely: They can leverage the token to execute commands on remote systems using tools like PowerShell Remoting or PsExec.

  • Accessing Cloud Resources: If the token grants access to cloud services like Azure or AWS, attackers can compromise those resources as well.

  • Installing Additional Malware: They can use the token to deploy additional malware on other systems, further expanding their foothold within the network.

Why Application Access Tokens are Attractive for Lateral Movement

  • Stealth: Since the attacker is using a valid token, their actions appear as legitimate activity from the authorized user or application, making detection more difficult.

  • Reduced Attack Surface: Unlike traditional credential theft, which focuses on obtaining usernames and passwords, token theft can bypass the need for direct password cracking.

  • Wide Applicability: Access tokens are used across various platforms and services, including web applications, cloud environments, and on-premise systems, making this technique versatile for attackers.

Pass the Ticket

Pass the Ticket (PtT) is a post-exploitation technique that allows attackers to move laterally within a network by reusing stolen Kerberos tickets. Kerberos is an authentication protocol widely used in Windows Active Directory environments. When a user logs in, they receive Kerberos tickets that serve as their credentials for accessing network resources.

How Pass the Ticket Works

Ticket Harvesting: Attackers first need to obtain valid Kerberos tickets from a compromised system. They can do this by:

  • Dumping LSASS Memory: The Local Security Authority Subsystem Service (LSASS) process stores Kerberos tickets in memory. Attackers can use tools like Mimikatz to extract these tickets.

  • Network Sniffing: In some cases, Kerberos tickets might be transmitted over the network unencrypted, allowing attackers to capture them through packet sniffing.

Injecting Tickets: Once a valid Kerberos ticket is obtained, the attacker injects it into their own session on a different system within the network. There are various tools available for this, including:

  • Mimikatz: This popular post-exploitation tool has features to inject Kerberos tickets into a user's session.

  • Rubeus: This open-source tool specializes in Kerberos attacks and can be used for ticket injection.

Impersonating Users: With the injected ticket, the attacker can impersonate the legitimate user to whom the ticket belongs. This means they can access network resources as that user, without needing to know their actual password.

Why Pass the Ticket is Effective for Lateral Movement

  • Stealth: PtT attacks are difficult to detect because they use legitimate credentials and don't require brute-forcing passwords.

  • No Account Lockout: Since the attack doesn't involve failed login attempts, it won't trigger account lockout mechanisms.

  • Elevated Privileges: If the stolen ticket belongs to a privileged user (e.g., an administrator), the attacker gains the same level of access.

  • Bypasses Network Segmentation: PtT can be used to bypass network segmentation and access resources in different security zones.

Variations of Pass the Ticket

  • Pass the Hash (PtH): A related technique where attackers use the hash of a user's password (instead of the actual ticket) for authentication.

  • Overpass the Hash (OPTH): An extension of PtH that allows attackers to create new Kerberos tickets from the stolen hash.

  • Golden Ticket: A forged Kerberos ticket granting ticket (TGT) that provides unrestricted access to a domain.

  • Silver Ticket: A forged Kerberos service ticket (TGS) that provides access to a specific service.

PreviousLATERAL MOVEMENTNextTechnique Taxonomy

Last updated