Lateral Movement & privilege Escalation

Lateral Movement

Moves one compromised system to another system inside a network.

Attacker do this to:

• Find valuable data

• Reach domain controller

• Access admin accounts

• Deploy ransomware across the network

Typical attack path-

1. Phishing

2. User's laptop compromise

3. Lateral movement

4. Domain controller

5. full network controll

Why attacker perform lateral movement:

Because the first compromise system rarely has valuable data.

e.g. Attacker compromises: employee laptop

but target is: File server, Domain Controller(DC), Database server.

• So attacker moves across the network.

Common lateral movement techniques

1. Pass the hash(PTH)-

Attacker steals password hash from memory, instead of cracking password. They reuse the hash directly.

e.g. mimikatz, CrackMapExec etc tools.

SOC indicators:

• NTLM authentication anomalies

• logins without password usage

2. Pass the ticket(Kerberos attack)-

Attacker steals kerberos authentication ticket, then use them to access another machines.

SOC indicators:

• Suspecious kerberos ticket usage

• Unusual TGT activity

3. Remote Desktop Protocol(RDP)-

Attacker uses stolen credentials to connects via port 3389.

SOC indicators:

• Internal RDP connections

• Unusual login locations

• Login outside working hours

4. SMB/Windows admin shares-

Attacker copies tools across machines using \target\C$

common tools:

• PsExec

• Impacket

• CrackMapExec

SOC indicators:

• Suspecious file transfer

• Admin share access

• Service creation events

5. Windows Managment instrumentation(WMI)-

Allow remote command execution.

e,g, wmic/node:target process call create "malware.exe"

Highly suspecious : admin's cmd used to remotely execute a programm named "malware.exe" on another computer.

Real SOC scenario:

Alert sequence:

1. Suspecious login to user laptop

2. Mimikatz executed

3. Admin's credential dumping

4. Attacker login to file server

5. Ransomware Deployed

Privilege Escalation

It simply means gaining higher privileges.

e.g. user account ---> admin account or high privilege account

Steps:

1. Pre-engagement

2. Passive reconnaissance

3. Active reconnaissance

4. Service Enumeration

5. Access exploited

6. Privilege escalation

Types of privilege escalation

1. Vertical privilege Escalation-

user --> normal admin/IT help desk --> domain admin/Linux admin (root)

2. Horizontal Privilege Escalation-

user(employee) --> another user(HR, means same account type with different privilege level).

Common Privilege Escalation Techniques

1. Exploiting software vulnerability-

e.g. Outdated windows kernel, Vulnerable drivers.

Attacker runs exploit ---> become admin

2. Credential Dumping-

Tools like Mimikatz, LSASS memory dumping.

Extract admin password

SOC indicators:

• LSASS process access

• Credential dumping alerts

3. Misconfigured permissions-

e.g. Service runs as SYSTEM but executable is writable

Attacker replace file ---> gains admin access

4. Token Impersonates admin-

Windown acess token stolen from high-privilege processes, Attacker impersonates admin.

5. Scheduled task abuse-

Attacker modifies scheduled task running as admin.

SOC indicators of privilege escalation:

• Sudden admin rights assignment

• New admin account creation

• Service creation evenets

• Suspecious LSASS access

• Privilege escalation exploits

Important windows event ID

4672 - Special privilege assigned

4688 - Process creation

4720 - User account created

4732 - User added to admin group

Attack chain (real ransomware attack)

1. Phishing email

2. User laptop compromise

3. Credential dumping

4. Privilege escalation

5. Lateral movement

6. Domain Controller Access

7. Ransomware Deployement