HTB Certified Active Directory Pentesting Expert is live! (25% OFF on Gold Annual Plan — for a limited time!) Learn More

Windows Lateral Movement

Windows lateral movement involves techniques to navigate and control remote systems within a network, primarily after gaining initial access. It is crucial in offensive and defensive cybersecurity strategies, allowing attackers to escalate privileges, access sensitive data, and expand their network presence while helping defenders understand, identify, and mitigate such movements. This module delves into various lateral movement techniques on Windows systems, providing a comprehensive understanding and practical examples of executing and defending against these methods.

4.42

Created by plaintextHTB

Medium Offensive

Summary

This module offers an extensive exploration of lateral movement techniques within Windows networks. By understanding and practicing these techniques, students will enhance their skills in both offensive security and defensive measures. The focus will be on various tools and protocols used for lateral movement, including RDP, SMB, WMI, WinRM, DCOM, SSH, and others.

In this module, we will cover the following:

  • Common tools and protocols used for lateral movement.
  • Abusing Windows Common Services for lateral movement.
  • Different techniques for executing lateral movement.
  • Hands-on exercises to practice the discussed techniques.
  • Defensive strategies to detect and mitigate lateral movement.

This module is divided into sections with accompanying hands-on exercises to reinforce the concepts presented. The module concludes with a practical skills assessment to evaluate your understanding of the covered topics.

This module is classified as "Medium" and assumes a working knowledge of Windows systems and network fundamentals. Prior familiarity with the following topics is recommended for successful completion of this module:

Introduction

Introduction to Windows Lateral Movement

Lateral movement refers to the techniques we use to move through a network after gaining initial access. By understanding lateral movement, attackers and defenders can better navigate and secure networks. This knowledge allows defenders to implement more effective security measures and helps attackers identify and exploit weaknesses in network defenses, ultimately leading to a more robust and resilient security posture.

Description of Lateral Movement

Lateral movement involves moving from one system to another within a network, often with the goal of escalating privileges or accessing sensitive data. Using lateral movement techniques, we can move deeper into a network in search of credentials, sensitive data, and other high-value assets.

To perform a lateral movement, we need any form of credentials, including passwords, hashes, tickets, SSH keys, and session cookies. We can leverage those to connect to a remote computer in the network. Effective lateral movement requires a deep understanding of network architectures and the ability to identify services and protocols we can leverage to execute code on remote systems.

MITRE ATT&CK Framework

The MITRE ATT&CK framework defines lateral movement as techniques used to enter and control remote systems on a network. This often involves exploring the network, pivoting through multiple systems and accounts, and using either remote access tools or legitimate credentials with native tools.

MITRE ATT&CK lists several techniques for lateral movement, including:

Technique ID Name Description
T1021 Remote Services Use of legitimate remote services like RDP, SMB, and SSH to move through a network.
T1021.001 Remote Desktop Protocol (RDP) Using RDP to interact with a remote system's desktop.
T1021.002 SMB/Windows Admin Shares Exploiting SMB shares to access files and execute commands.
T1021.003 Distributed Component Object Model Using DCOM to interact with software components on remote systems.
T1021.004 SSH Utilizing SSH to securely connect and control remote systems.
T1021.005 VNC Using VNC for remote control of systems.
T1077 Windows Admin Shares Abusing administrative shares for lateral movement.
T1080 Taint Shared Content Modifying shared content to execute malicious code.
T1105 Ingress Tool Transfer Transferring tools or files to remote systems for execution.
T1210 Exploitation of Remote Services Exploiting vulnerabilities in remote services to gain access.
T1550 Use Alternate Authentication Material Using stolen tokens, keys, or certificates for authentication.
T1563 Remote Service Session Hijacking Hijacking legitimate remote service sessions.
T1563.001 SSH Hijacking Hijacking SSH sessions.
T1569 System Services Utilizing system services to execute commands or move laterally.
T1569.001 Launchctl Using the launchctl command to manage launch services on macOS.
T1569.002 Service Execution Executing commands or scripts using system services.
T1570 Lateral Tool Transfer Moving tools from one system to another within a network.

These techniques illustrate the various methods we can use to navigate and control remote systems within a network.

Networks & Systems

Understanding how networks and systems work is crucial to performing lateral movement. Our initial step is to identify or map the network devices that we can target; we can do that through port scanning, ping sweep, or using Active Directory information.

Once we understand the network, we need to be aware that some systems may be out of reach because of network segmentation or firewall restrictions. In those cases, we need to think outside the box to get access to those services. Let's divide these scenarios into direct lateral movement and indirect lateral movement.

Direct Lateral Movement

Direct lateral movement is where we can execute commands directly on the target machine and force the target machine to connect back to us. For example, if we compromise SRV01 and need to move laterally to SRV02, we can use PSExec from SRV01 to execute commands on SRV02 and obtain a session or shell on SRV02.

text

Indirect Lateral Movement

Indirect lateral movement involves executing commands on the target machine when it receives instructions from another system. For example, suppose we can't reach SRV02 directly from SRV01 due to a network firewall restriction, but SRV02 can connect to the Windows Update Server (WSUS). In this case, if we compromise the WSUS server and create a fake Windows Update that executes our desired command, once SRV02 retrieves the update, it will run our malicious update, allowing us to obtain a shell on SRV02.

text

In the following section, we will create some examples for testing both scenarios.

Command Execution

As we see, command execution is very important when working with lateral movement. The ability to execute commands can help us gain access to remote services. Throughout this module, we will use different methods to execute commands or payloads that will be helpful when dealing with networks that employ various security mechanisms.

Topology of the Lab

To provide hands-on experience, the lab topology will simulate a typical corporate network environment, including:

  • Multiple network segments: Representing different departments or security zones.
  • Key infrastructure components: Domain controllers, update servers, and management servers.

We will practice identifying and exploiting lateral movement opportunities, reinforcing our understanding of the techniques and defenses discussed.

Network Segmentation

Understanding network segmentation is crucial for effectively performing lateral movement as attackers. Network segmentation involves dividing a network into smaller, isolated segments to limit the spread of an attack. Proper network segmentation can:

  • Contain breaches: Restrict our movement and reduce the attack surface.
  • Enhance monitoring: Allow for more focused and effective monitoring of network traffic.
  • Improve access control: Enforce strict access policies between different segments.

text

In the above image, we can see a high-level overview of the network topology. There are three network segments, and the device that determines which network can reach the other is the Switch Layer 3. In other networks, this device can be a router, a Linux server, or a firewall. Understanding how these devices control communication between segments is essential for planning lateral movement.

Through testing, we can identify which communication is allowed, but in this case, we will start the engagement from an assumed breach scenario.

Not all servers will be available in every section; sometimes, we will start from a different server. This variability highlights the importance of understanding network segmentation and its impact on our ability to move laterally.

By the end of this module, we will have a solid foundation in Windows lateral movement, providing us with the knowledge to carry out and defend against these advanced attacks.

Sign Up / Log In to Unlock the Module

Please Sign Up or Log In to unlock the module and access the rest of the sections.

Relevant Paths

This module progresses you towards the following Paths

Active Directory Penetration Tester

The Active Directory Penetration Tester Job Role Path is designed for individuals who aim to develop skills in pentesting large Active Directory (AD) networks and the components commonly found in such environments. This path equips students with the skills needed to evaluate the security of AD environments, navigate complex Windows networks, and identify elusive attack paths. This path includes advanced hands-on labs where participants will practice techniques such as Kerberos attacks, NTLM relay attacks, and the abuse of services like AD Certificate Services (ADCS), Exchange, WSUS, and MSSQL. Students will also learn how to exploit misconfigurations in Active Directory DACLs and Domain Trusts, perform evasion tactics in Windows environments, and leverage Command and Control (C2) frameworks for post-exploitation activities. By combining theoretical foundations with practical exercises and a structured methodology for identifying AD vulnerabilities, this path enables students to conduct professional security assessments on complex AD infrastructures and effectively report security weaknesses discovered by chaining multiple vulnerabilities.

Hard Path Sections 253 Sections
Required: 7100
Reward: +1420
Path Modules
Medium
Path Sections 36 Sections
Reward: +20
Active Directory (AD) is the leading enterprise domain management suite, providing identity and access management, centralized domain administration, authentication, and much more. Due to the many features and complexity of AD, it presents a large attack surface that is difficult to secure properly. To be successful as infosec professionals, we must understand AD architectures and how to secure our enterprise environments. As Penetration testers, having a firm grasp of what tools, techniques, and procedures are available to us for enumerating and attacking AD environments and commonly seen AD misconfigurations is a must.
Medium
Path Sections 12 Sections
Reward: +100
This module provides an overview of Active Directory (AD), introduces core AD enumeration concepts, and covers enumeration with built-in tools.
Medium
Path Sections 9 Sections
Reward: +100
This module covers AD enumeration focusing on the PowerView and SharpView tools. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.
Medium
Path Sections 14 Sections
Reward: +100
This module covers AD enumeration focusing on the BloodHound tool. We will cover various techniques for enumerating key AD objects that will inform our attacks in later modules.
Medium
Path Sections 14 Sections
Reward: +100
Windows lateral movement involves techniques to navigate and control remote systems within a network, primarily after gaining initial access. It is crucial in offensive and defensive cybersecurity strategies, allowing attackers to escalate privileges, access sensitive data, and expand their network presence while helping defenders understand, identify, and mitigate such movements. This module delves into various lateral movement techniques on Windows systems, providing a comprehensive understanding and practical examples of executing and defending against these methods.
Medium
Path Sections 27 Sections
Reward: +100
Active Directory presents a vast attack surface and often requires us to use many different tools during an assessment. The CrackMapExec tool, known as a "Swiss Army Knife" for testing networks, facilitates enumeration, attacks, and post-exploitation that can be leveraged against most any domain using multiple network protocols. It is a versatile and highly customizable tool that should be in any penetration tester's toolbox.
Hard
Path Sections 23 Sections
Reward: +100
Kerberos is an authentication protocol that allows users to authenticate and access services on a potentially insecure network. Due to its prevalence throughout an Active Directory environment, it presents us with a significant attack surface when assessing internal networks. This module will explain how Kerberos works thoroughly and examines several scenarios to practice the most common attacks against it from multiple perspectives.
DACL Attacks I
mini module tag Mini-Module
Hard
Path Sections 7 Sections
Reward: +100
Discretionary Access Control Lists (DACLs), found within security descriptors, are a fundamental component of the security model of Windows and Active Directory, defining and enforcing access to the various system resources. This mini-module will cover enumerating and attacking common DACL misconfigurations, allowing us to escalate our privileges horizontally and vertically and move laterally across an Active Directory network.
DACL Attacks II
mini module tag Mini-Module
Hard
Path Sections 9 Sections
Reward: +100
In this second module on Discretionary Access Control Lists (DACLs), we delve into sophisticated attack techniques and strategies within Windows Active Directory environments. Building on the foundation laid in DACL Attacks I, this module explores other DACL misconfigurations and their exploitation. We also introduce methods for detecting and mitigating these DACL-based attacks, equipping learners with both offensive and defensive skills crucial for safeguarding and compromising Active Directory networks.
Hard
Path Sections 10 Sections
Reward: +100
The NTLM authentication protocol is commonly used within Windows-based networks to facilitate authentication between clients and servers. However, NTLM's inherent weaknesses make it susceptible to Adversary-in-the-Middle attacks, providing a significant attack vector. This module focuses on the various NTLM relay attacks that attackers use to compromise Active Directory networks.
Hard
Path Sections 19 Sections
Reward: +100
This module focuses on privilege escalation attacks by abusing misconfigurations in Active Directory Certificate Services.
Hard
Path Sections 21 Sections
Reward: +100
Active Directory (AD) is the leading solution for organizations to provide identity and access management, centralized domain administration, authentication, and many other tasks. It is possible to connect Active Directory domains and forests via a feature called "trusts". Domain trusts can be set up for a variety of reasons such as resource sharing, centralized management, cross-forest collaboration, migration, enhanced security. With the introduction of trusts into any environment, they bring with them many inherent risks. As skilled AD pentesters we must understand how to enumerate and attack both intra-forest and cross-forest and be able to confidently explain the hardening considerations a customer needs to take into an account to mitigate some of the risk of introducing trusts into their operation environment.
Hard
Path Sections 19 Sections
Reward: +100
Active Directory is present in over 90% of corporate environments and it is the prime target for attacks. This module covers the attack chain from getting the initial foothold within a corporate environment to compromising the whole forest with Sliver C2 and other open-source tools.
Hard
Path Sections 14 Sections
Reward: +100
In this module we will cover the basics of evading antivirus solutions (Windows Defender specifically) from an attackers point-of-view.
Hard
Path Sections 19 Sections
Reward: +100
This module covers attacks targeting tightly incorporated technologies in Active Directory environments such as MSSQL, Exchange, and SCCM, and how to identify them.