Tracing the Steps of Cyber Intruders: The Path of Lateral Movement

When cyber attacks strike, it’s rarely a single computer that suffers. Nowadays, cybercriminals set their sights on corporate networks, aiming to infiltrate and compromise multiple systems. But how do these bad actors manage to breach large networks?

It all starts with a foothold. Whether through brute-force attacks on remote desktop protocols, exploiting vulnerabilities in public-facing applications, or cleverly crafted phishing emails that lure unsuspecting employees, cybercriminals find their way in. Once inside, they start their lateral movement—exploring the network, seeking out valuable assets, and spreading their reach.

The traces of this lateral movement are crucial clues for cybersecurity teams. They help identify compromised assets, assess the extent of the breach, and shore up vulnerabilities to prevent further damage. By understanding the tactics employed by these threat actors, you can pinpoint where to look for signs of compromise on affected machines, and with the right computer forensics tools, analyzing these areas becomes more efficient.

Most common lateral movement techniques

Lateral movement is a critical phase in a cyber attack, where hackers pivot from their initial breach point to other systems within the network. This maneuver allows them to access more resources and escalate their attack, amplifying the potential damage.

This phase is a prime opportunity for cybersecurity teams. It’s when threat actors’ activities are most exposed, offering a chance to detect the techniques and tools being used. Here are some key areas of interest for cyber incident response investigators:

Remote Services:

To move laterally, nefarious actors often exploit remote services like Remote Desktop Protocol (RDP). These services allow them to transfer files, execute commands, or seize control of other machines within the network.

SMB Protocol:

Attackers may use the Server Message Block (SMB) protocol, which Windows networks use for sharing resources like files and printers, to move laterally and spread malware.

System Tools:

Attackers frequently abuse legitimate tools and processes already on systems to conduct malicious activities, making detection more challenging. Examples include PsExec and PowerShell.

Delving into RDP connections

You can find evidence of RDP usage on compromised machines by reviewing entries from the Windows registry and events logs.

Digital forensics tools are invaluable in this process. They extract and categorize data acquired from computers, making it easier to locate relevant digital artifacts for cyber incident investigations.

For instance, this is how Belkasoft X displays outgoing RDP connections from the supplied data source:

Figure 1: Information on outgoing connection extracted from Windows Registry shown in Belkasoft X

The registry path for RDP connection details is typically found at:

Software\Microsoft\Terminal Server Client\Servers

In the highlighted example, the Administrator account was used for logging in to the host with IP address 192.168.1.79 via RDP. But what about incoming RDP connections? Yes, those can be uncovered too!

To find details on incoming connections, you can analyze the Windows Event Logs, specifically the Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational logs.

Since we know the Administrator account was involved, we can apply a filter to the security logs to focus on events associated with that account.

Figure 2. With the filter applied the tool only shows the entries of interest

Figure 3. Security logs narrowed down to Administrator actions

If a trojan is suspected, further investigation is necessary. You can delve into record details in the Artifacts window on the Structure tab.

Figure 4. Information on an incoming connection extracted from Windows Event Logs shown in Belkasoft X

RDP might be popular, but it is hardly the only technique adversaries employ for lateral movement. SMB/Windows Admin Share is another technique that is widely used. Threat actors use the SMB/Windows Admin Share technique during the reconnaissance phases of their attacks to learn more about potential targets in the network, especially if they already possess privileged credentials. The technique also comes in handy when attackers have to transfer their tools or malware from an initially compromised host to other hosts.

The easiest way to uncover behavior pointing to SMB/Windows Admin Share exploitation is to search for c$, d$, or admin$ keywords. Digital forensics tools allow you to run searches against all records in the case. Here is an example of a c$ usage record found by Belkasoft X under the Recent inputs in the start menu prompt category.

Figure 5. Evidence of a network share usage extracted by Belkasoft X

If you know that the administrator account was compromised, you can also go into its registry file, examine the RunMRU key (which maintains the list of entries executed through Start > Run command), and check for entries with c$, d$, or admin$ keywords.

Investigating PsExec and PowerShell usage

When cyber attackers move laterally through networks, they often rely on executing scripts or malware on remote hosts, frequently using tools like PsExec and PowerShell.

PsExec, a free Microsoft tool, allows users to run programs on remote computers. While it is a handy tool for system administrators to manage networked systems, it is also attractive to threat actors for its ability to execute commands, scripts, or binaries on remote systems.

The popular adversary frameworks like Cobalt Strike use techniques similar to PsExec too. Actually, PsExec and corresponding Cobalt Strike modules use a mixture of two techniques: admin shares and new service creation.

When a new service is created in a system, Windows generates logs for event ID 7045. Event ID 7045 corresponds to event ID 4697 in security events, and by examining it, you can find execution details. Belkasoft X has a section dedicated to entries with this ID. See System log, 7045 below.

Figure 7. Evidence pointing to Cobalt Strike’s PsExec execution shown in Belkasoft X

Another Cobalt Strike module similar to PsExec involves PowerShell, which is also quite popular among all sorts of threat actors. This module is known as psh_psexec. It got captured in the PowerShell Event logs and other logs in event ID 7045 from the system log:

Figure 8. A service created by Cobalt Strike’s psh_psexec command

These services are detected easily because recognizable names and arguments are used to start them.

Conclusion

Most cyberattacks are characterized by activities involving lateral movement. In this phase, threat actors typically explore networks to find the most vulnerable elements. The techniques we reviewed in this paper see a lot of use, and the chances of you encountering them—in an incident response engagement—are pretty high.

When you know where to look (sensitive locations and files from the registry and event logs) and use the right tools, uncovering lateral movement becomes more straightforward.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.