Threat hunting is not an easy task. The multitude of ways in which attackers can implement the next stages of the attack makes the detection scenarios seem endless. That is why it is so important to properly prioritize and focus on the stages of the intrusion during which attackers have less room to manoeuvre. And the ideal attack phase for this purpose is the so-called "lateral movements", i.e. the stage when attackers expand access to the environment by connecting to more devices. Why this phase? This is due to the amount of technique that the attacker can use. If we wanted to present the number of possible combinations of actions at subsequent stages of intrusion, our graphics would resemble an hourglass. In terms of ways to deliver malicious files or scripts, we can list dozens, if not hundreds, of techniques. Similarly in the case of maintaining access, or collecting and exfiltrating data. However, when an attacker wants to take control of subsequent workstations or servers, the matter does not look so bright anymore. Let's look at the number of techniques contained in MITER ATT&CK, starting with Initial Access, i.e. when malicious actions against the victim begin:
The number of techniques therefore increases quickly at the environmental access and privilege elevation stages, drops significantly during horizontal movements in the environment, and then increases again in terms of data acquisition and communication with infected hosts. These figures do not tell the whole picture. If we look at the example of the Initial Access tactic, we will find two inconspicuous entries there Spearphishing Link and Spearphishing Attachment. And yet all kinds of phishing emails constitute a significant part of all access attempts and examples of procedures related to the use of various types of attachments, hiding malicious files can be mentioned almost endlessly. Still, in the general outline, we see clear trends and narrowing in the stage of movements in the environment. Why is it like that?
This is because an attacker trying to send malicious tools to his victim or exploit a vulnerability acts unilaterally, the target is only the recipient of the ability. In the case of movements in the environment and attempts to gain access to more machines, the situation will look completely different. The attacker may try to reuse the same techniques and, for example: distribute phishing internally or exploit vulnerabilities in found ones services, however, this will not be very effective. A much more efficient method is to use already existing methods of remote management of other machines, such as those used by administrators. And this already requires that both the device from which the attacker will operate and the target device be configured to use the given tools with all the consequences related to the availability of configured tools and the possibility of observation based on standard system logs. This is what we might consider the "standard" attack scheme, when the attacker obtains information from the environment, such as passwords and user logins, and then uses them to authenticate access to subsequent machines. And using this common methodology, its range of capabilities is relatively easy to predict. To illustrate this situation, let's use a cheatsheet which is a poster by SANS "Hunt Evil„:
So there are actually seven main techniques that take advantage of the built-in functionality of Windows. Let's look at the practice of analyzing one of them. As an example, we will use a remote desktop, i.e. the popular RDP. In combination with obtaining user account data, it is a very convenient method of vertical movements, allowing you to establish interactive connections with subsequent hosts. Since it is a remote desktop, the attacker also has the option of using a graphical interface and conveniently use mouse and desktop control to achieve his objectives, such as searching for files on the disk, copying them and compressing them in archives, or data exfiltration by logging in via an email browser and sending files. Defenders can therefore face a difficult task - the need to detect activity that looks like a simple login to another machine by one of the users. What traces and artifacts can help us in this case? Detection will consist of two components - detecting RDP usage and analyzing user activity to determine if they should connect to a given machine. In terms of the first of these components, information will be provided primarily by artifacts showing the launch of processes related to the remote desktop client - mstsc.exe, and on the side of the device with which the attacker would connect to functional tools - rdpclip.exe (remote desktop clipboard) and tstheme.exe (system shell themes after connection). On the other hand, the Security and System event logs RDPClient/Operational they allow you to specify the directions of connections and the used user accounts. In particular, it will be event 4648, i.e. logging in with user data. Example event from Microsoft documentation:
We will find here not only information about the user but also the target device and the process that triggered the event, which facilitates analysis. In the diary RDPClient/Operational however, it is worth paying attention to the events with identifiers 1024 and 1102. The first one is related to the ActiveX functionality, which allows you to apply additional scripts and in its content you will find the entry "RDP ClientActiveX is trying to connect to the server (host name)". 1102, in turn, is information about establishing a connection where information about the destination IP address will appear. We will be able to observe these events on the side of the device initiating the connection, what about the target computer? There, in the Security log, we should look for traces of type 10 login, i.e. remote interactive login, which will appear in event 4624. Additionally, in the case of remote desktop, a user can disconnect and reconnect within the created session and these reconnections leave events with ID 4778. And on the other hand, disconnecting will leave a trace about the ID 4779. The content of all these events should show us the IP address and username of the user who logged in to the station.
I will not try to summarize the rest of the poster here, instead I would like to point out why I like the methodology presented on it. First of all, the artifacts we discussed in the example of remote desktop are specific to Windows telemetry - both event logs and evidence of program launches via prefetch files. So we do not need to use any additional tools like EDR to start the analysis. In addition, the sources of artifacts are divided into three categories - event logs, registry, and file system. Thus, combining the fact that there are relatively few horizontal movement techniques, we can focus on specific sources of detection. Of course, this is a great simplification of the problem - just launching tools related to remote desktop or events indicating connection to the session will not be enough to create a detection that will not cause a false positive result. However, understanding the artifacts attackers will cause in the environment is the first step to establishing normal behavior and detecting deviations, and then actually malicious activity. Having knowledge and visibility of what stations users should connect to, when they use them, how often they disconnect and reconnect during a session, or finally observing the actions of users who are the first in the history of their work at two in the morning, we can start verifying individual events,
From a threat hunting perspective, lateral movements are a special phase in many ways. They prove that the attacker has already gained access to the environment, and at the same time has not yet achieved his goals, perhaps just begins to recon the infrastructure. Therefore, a limited number of techniques is an opportunity for defenders to take advantage of a stressful situation for attackers when, before performing the assumed tasks, they can no longer avoid leaving traces resulting from the normal operation of the system, such as artifacts indicating the launch of individual tools or logging on workstations. This translates into more stressful situations for attackers and reverses the sometimes-repeated phrase "attackers only have to succeed once, defenders have to succeed every time." When operating in the environment, defenders only need to “get it once” because a single detection can lead to cutting off access to the environment and trace how this access was obtained in the first place. The seven indicated techniques do not exhaust all the possibilities of moving around in the environment, but by ensuring our visibility and detection capabilities, we radically limit the possibilities of attackers, forcing them to use more complex and thus less reliable ones. And the more the attackers' hands are tied and the more complicated actions they have to perform, the greater the chance of making a mistake.