{"id":1247,"date":"2023-04-27T22:16:14","date_gmt":"2023-04-27T20:16:14","guid":{"rendered":"https:\/\/counterintelligence.pl\/?p=1247"},"modified":"2023-04-27T22:16:16","modified_gmt":"2023-04-27T20:16:16","slug":"atakujacy-w-waskim-gardle-lateral-movements-i-threat-hunting","status":"publish","type":"post","link":"https:\/\/counterintelligence.pl\/en\/2023\/04\/atakujacy-w-waskim-gardle-lateral-movements-i-threat-hunting\/","title":{"rendered":"Attackers in the bottleneck - lateral movements and threat hunting"},"content":{"rendered":"

Threat hunting is not an easy task<\/a>. The multitude of ways in which attackers can implement the next stages of the attack makes the detection scenarios seem endless. That is why it is so important to properly prioritize and focus on the stages of the intrusion during which attackers have less room to manoeuvre. And the ideal attack phase for this purpose is the so-called \"lateral movements\", i.e. the stage when attackers expand access to the environment by connecting to more devices. Why this phase? This is due to the amount of technique that the attacker can use. If we wanted to present the number of possible combinations of actions at subsequent stages of intrusion, our graphics would resemble an hourglass. In terms of ways to deliver malicious files or scripts, we can list dozens, if not hundreds, of techniques. Similarly in the case of maintaining access, or collecting and exfiltrating data. However, when an attacker wants to take control of subsequent workstations or servers, the matter does not look so bright anymore. Let's look at the number of techniques contained in MITER ATT&CK, starting with Initial Access, i.e. when malicious actions against the victim begin:<\/p>\n\n\n

\n
\"\"<\/figure>\n<\/div>\n\n\n

The number of techniques therefore increases quickly at the environmental access and privilege elevation stages, drops significantly during horizontal movements in the environment, and then increases again in terms of data acquisition and communication with infected hosts. These figures do not tell the whole picture. If we look at the example of the Initial Access tactic, we will find two inconspicuous entries there Spearphishing Link<\/a> and Spearphishing Attachment<\/a>. And yet all kinds of phishing emails constitute a significant part of all access attempts and examples of procedures related to the use of various types of attachments, hiding malicious files can be mentioned almost endlessly. Still, in the general outline, we see clear trends and narrowing in the stage of movements in the environment. Why is it like that?<\/p>\n\n\n\n

This is because an attacker trying to send malicious tools to his victim or exploit a vulnerability acts unilaterally, the target is only the recipient of the ability. In the case of movements in the environment and attempts to gain access to more machines, the situation will look completely different. The attacker may try to reuse the same techniques and, for example: distribute phishing internally<\/a> or exploit vulnerabilities in found ones<\/a> services, however, this will not be very effective. A much more efficient method is to use already existing methods of remote management of other machines, such as those used by administrators. And this already requires that both the device from which the attacker will operate and the target device be configured to use the given tools with all the consequences related to the availability of configured tools and the possibility of observation based on standard system logs. This is what we might consider the \"standard\" attack scheme, when the attacker obtains information from the environment, such as passwords and user logins, and then uses them to authenticate access to subsequent machines. And using this common methodology, its range of capabilities is relatively easy to predict. To illustrate this situation, let's use a cheatsheet which is a poster by SANS "Hunt Evil<\/a>„:<\/p>\n\n\n\n\n \n