Lateral Movement Explained

What is Lateral Movement?

Lateral movement is the technique that a cyber attacker or threat actor uses after gaining a foot hold to traverse through the rest of the network. An attacker typically performs lateral movement to obtain valuable secrets or other sensitive data that will allow access to more endpoints or allow for privilege escalation.
Aptive use lateral movement to simulate the role of a real cyber attacker to help demonstrate the risk of an external breach to an organisation, allowing them to learn how for a malicious user could travel though the network and the sensitive information they could gain access to.

Real World Example of Lateral Movement: Cryptocurrency Mining

Recently lateral movement has been leveraged by attackers and automated tools to compromise as many hosts as possible to mine cryptocurrency on the compromised hosts.

How do Attackers Gain a Access to the Network?

Some of the most common entry points are unpatched systems, poorly hardened systems, vulnerable web applications, phishing and malware infection.
For an in-depth answer specifically for your organisation consider requesting a quote for our penetration testing service.

Lateral Movement Process

Lateral movement requires the attacker to leverage a way to move through the target network, therefore privilege escalation may or not be required on the entry point machine depending on what level account was originally compromised and if the host has undergone a build hardening review previously.

Environment Mapping (Recon)

The attacker learns the network, understanding the network subnet structure, username and naming conventions and what threat detection systems are in place such as anti-virus. The enumeration at this point allows the attacker to make informed decisions to pivot through the network, while trying to evade detection.

Lateral Movement Techniques

For an attacker to move through the network they need to either exploit a service such as SSH, RDP, or obtain valid credentials via social engineering or cracking the hash or dumped credentials. Below are a number of techniques an attacker could leverage to move through the network:

• Local Enumeration – Identify stored password in history files or locally stored text files.
• SSH Keys – Locally stored SSH keys are an easy way for an attacker to perform lateral movement via SSH.
• SSH Hijacking – Various techniques exist that allow an attacker to hijack a SSH session and gain access to downstream servers.
• Responder – A tool which performs LLMNR spoofing, a service which listens for non resolved Netbios names (or other services) and pretends to be that service, the user then sends their password hash which could be cracked offline using tools like Hashcat.
• Mimikatz – A tool which extracts plaintext passwords from memory.
• Pass the Hash – A technique where a captured password hash can be directly passed the service for authentication, remove the requirement to crack the hash to identify the password.
• Keyloggers – A keylogger could be placed on the system to capture passwords without the victim realising.
• Pass the Ticket – Requires a domain controller compromise, once compromised an attacker can generate a Kerberos golden ticket, allowing the attacker to login even after a password change.

Once an attacker has gained access to the network, they can usually continue to move throughout the network often undetected as the traffic typically appears to look like normal network traffic.

What is Lateral Movement?

Lateral movement is the technique that a cyber attacker or threat actor uses after gaining a foot hold to traverse through the rest of the network.

Why do attackers perform Lateral Movement?

Attackers use different tools and techniques to gain higher privileges, allowing them to access more sensitive data which is used to access other machines within the network.

What are the Stages of Lateral Movement?

Reconnaissance (environment mapping), Credential Dumping / Privilege Escalation, Gaining Access, Remaining Undetected.