How to detect the movement of attackers across the network

On projects to analyze the security of corporate information systems in 2019, our pentesters managed to overcome the network perimeter of 93% of companies . At the same time, the network of 50% of companies could be penetrated in just one step. In order to prevent real attackers from reaching their goal, it is important to identify their activity in time. One of the critical stages of an attack is lateral movement, when attackers expand their presence on the network.

In this article, I'll show you what activity is related to movement within the perimeter and how, using network analysis, to identify the use of such tactics.

What concerns moving within the perimeter

First, let's look at several schemes that will help you understand what stages the attack is divided into.

https://github.com/infosecn1nja/Red-Teaming-Toolkit

(Recon)
(Initial Compromise)
(Establish Persistence)
(Escalate Privileges)
(Internal Recon)
(Lateral Movement)
(Data Analysis)
4―7 ( )
(Exfiltration and Complete Mission)

Active Directory Kill Chain, , .

https://github.com/infosecn1nja/AD-Attack-Defense

2—5
,

, .

ATT & CK Matrix for Enterprise — ATT&CK Matrix for Enterprise

ATT&CK, . MITRE. . , – . . , .

Lateral movement ( ) , , , . DCOM, , . .

. , .

, :

ASP .NET, DMZ;
devops- agusev, ;
gpavlov ;
DC Administrator.

agusev gpavlov .

1.

, . devops- agusev, . , .

2. BloodHound DCOM (T1021.003)

BloodHound. , agusev Distributed Component Object Model (DCOM). SharpHound ( BloodHound) AGUSEV. Microsoft Management Console (MMC) 2.0.

DCOM , . , DCOM. , ( MMC 2.0). .

, , , .

AD BloodHound

BloodHound gpavlovAdm, .

3. RDP- (T1021.001 T1570)

RDP- AGUSEV. RDP- kerbrute (https://github.com/ropnop/kerbrute), gpavlovAdm.

Kerbrute . , . BloodHound, gpavlov. , GPAVLOV gpavlov, gpavlovAdm.

BloodHound

kerbrute.

4. c smbexec (T1021.002)

, gpavlov ( , ). smbexec Impacket. , , — gpavlovAdm. mimikatz SharpSploit (Github).

SharpSploit PowerSploit. PowerShell, SparpSploit — DLL C# .NET . , .

5.

mimikatz SharpSploit . , ntds.dit. secretsdump Impacket (Github).

. ATT&CK.

List of attacking techniques

NTA- PT Network Attack Discovery. PT NAD L2—L7, , .

?

, , . , RDP — , , . , DMZ, RDP- . , devops- , .

Dashboards PT Network Attack Discovery — PT Network Attack Discovery

, RDP-?

SMB- DCERPC. RPC DCOM- Impacket. lateral movement .

Alert found attack using DCOMExec from Impacket — DCOMExec Impacket

— , Impacket. cmd.exe system32 . HTTP-.

- ?

, ; , . «» , — , SPN- Active Directory. , .

Notification of a detected LDAP attack — LDAP

LDAP. , . , , , , , BloodHound. , , Kerberos. 8380 : . PT NAD Kerberos.

Kerberos sessions — Kerberos

? ?

, gpavlovAdm gpavlov. Kerberos- (KDC) . PT NAD . gpavlovAdm , — . gpavlov , , .

Using gpavlov account to download SharpSploit — gpavlov SharpSploit

? , ?

, . Service Control Manager Impacket, sharpsloit.dll.

SharpSploit download confirmation — SharpSploit

, gpavlovAdm. , — gpavlovAdm. . PT NAD , SCM, , SAM, LSA, SECURITY NTDS. , .

Domain Controller Registry Dump Alerts

lateral movement

, , . :

COM-, (, MMC 2.0);
;
helpdesk Just Enough Administration;
;
System.Management.Automation.dll.

: , PT Expert Security Center (PT ESC)

All Articles