Open in app

Sign in

Write

Sign in

What’s Lateral Movement?

A hacking play-by-play

Jon Hencinski
6 min readNov 3, 2020

You’re about to hack Acme Corp. A fictional company that makes fictional widgets — but what you’ll learn is real. You’re going to learn the basics to become a better defender of networks.

You’re going to gain access to one computer connected to the Acme Corp network, elevate your privileges, and move to other computers on the network — laterally. Lateral movement.

Before you cast your phishing rod, review this mental model:

Access — movement — storage.

This is your playbook.

It’s go time.

The Setup

You need to gain access to the Acme Corp computer network. You’re going to phish your way in. You send an email to the Acme Corp HR team inquiring about a job opening. Your email includes a Microsoft Office document that contains a tiny piece of evil code called a “macro”. Your macro is configured to install a backdoor on any computer where it is run. No fancy exploit required — you’ll have your targets unknowingly self-install your backdoor for you. How nice of you.

Your backdoor will allow you to remotely control any infected computer. Once your backdoor runs it will “phone home” to another computer on the Internet — a command-and-control (c2) server. Are you worried about getting spotted by the Acme Corp security team? Not you. You’ve configured your backdoor to use domain fronting. By taking advantage of how content delivery networks (CDN) distribute traffic, when an infected computer talks to your c2 server it will look like legitimate network traffic. No way they’ll spot you.

Now you play the waiting game. You wait for an HR employee to open your email and run your evil macro.

Any minute now…

Still waiting…

I thought hacking would be more exciting…

Bingo!

You now have remote access to one computer within the Acme Corp network.

Access

You have remote access to a Windows 10 workstation named WORKSTATION1 on the Acme Corp network. Your backdoor allows you to remotely execute commands on WORKSTATION1. The results are then sent back to your c2 server for your review.

Let’s go.

You check which account your backdoor is operating under:

Command: whoami

Result: jake_from_acme_corp

Sorry, Jake from Acme Corp. You’ve been pwned.

You find out a little bit more about the network, aka the “domain”, WORKSTATION1 is connected to:

Command: net view /domain

Result: ACMECORP

WORKSTATION1 is joined to the “ACMECORP” domain.

Next, you list the computers that control access to the “ACMECORP” domain:

Command: nltest/dclist:ACMECORP

Result: ACMECORPDC1, ACMECORPDC2, ACMECORPDC3

These represent other computers on the “ACMECORP” domain that may contain information about those fancy widgets. You bookmark these. You’ll want to move to them later. But there’s some prep work required.

To move, you’ll need admin rights. You check the permission you have on WORKSTATION1:

Command: whoami /groups

Result: Group Name: Mandatory Label\Medium Mandatory Level

As expected. You’re not admin…yet. Your backdoor process is running in a medium integrity level. You need to elevate to a high integrity context before you can Mimikatz your way to an account with permissions to move around the network.

You check the members of the local administrators group:

Command: net localgroup “administrators”

Result: jake_from_acme_corp

Jake from Acme Corp is a member. Such a gracious host. That’s just what you need to bypass User Account Control (UAC) on WORKSTATION1 and get your backdoor process to run in a high integrity context.

You bypass UAC to execute your backdoor in a high integrity context. You double check your permissions on WORKSTATION1:

Command: whoami /groups

Result: Group Name: Mandatory Label\High Mandatory Level

You’re running in a high integrity context. Strong to quite strong.

Your backdoor allows you to upload files to Jake’s computer. You upload a copy of Mimikatz.

Before executing Mimikatz on Jake’s computer to steal Windows credentials you check to see if WDigest is enabled:

Command: reg query “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest”

Result: UseLogonCredential: 1

Success. WDigest is enabled on Jake’s computer. You’ll be able to steal plain-text equivalent passwords using Mimikatz.

You execute Mimikatz and grab plain-text passwords stored in memory. One account sticks out:

Username: bob_admin_acme

Domain: ACMECORP

Password: Summer2018!$

You immediately check to see if you can mount the C$ share on ACMECORPDC1 using this account:

net use \\ACMECORPDC1\c$ /user:bob_admin_acme Summer2018!$

It worked. The command completed successfully.

It’s unlikely you’ll find widget blueprints on a HR employee’s computer but you check anyway:

Command: dir \ /s /b | find /I “widgets”

Result: ……

Nada. You’ll need to move to other computers. You’ll need to move laterally using Bob’s admin account (bob_admin_acme).

Let’s recap where we are in our fictional hack:

You have remote access to one Windows 10 workstation within the Acme Corp network via backdoor. Your backdoor process is running in a privileged aka high integrity context AND you’ve stolen the password for Bob’s admin account that will give you rights to move to other computers on the network. Look at you go.

It’s time to move.

Movement

It’s time to move to other computers. That’s the essence of lateral movement. We’ll move to other computers using Bob’s admin account — because Bob’s account is privileged across the domain. As gracious as Jake is for letting us borrow computer CPU, his level of access won’t get us far beyond WORKSTATION1. The details about those widgets are on other computers, not the one where we landed.

From your backdoor running on WORKSTATION1 you mount the ADMIN$ share of ACMECORPDC1you’re able to do this because Bob’s admin account has the rights to do so:

net use \\ACMECORPDC1\admin$ /user:bob_admin_acme Summer2018!$

You upload a copy of your backdoor to Jake’s computer, WORKSTATION1 as a file named “backup.exe”. You then copy “backup.exe” over to the ACMECORPDC1 ADMIN$:

copy backup.exe \\ACMECORPDC1\admin$

Now it’s time for remote code execution. Authenticated of course, you’re not a savage. You remotely execute your backdoor on ACMECORPDC1 using WMI:

wmic /user:bob_admin_acme /password:Summer2018!$ /node:ACMECORPDC1 process call create “C:\windows\backup.exe”

You now have remote access to two computers within the ACMECORP domain. You gained access to WORKSTATION1 via phishing and moved laterally using a stolen admin account to deploy your backdoor on ACMECORPDC1.

It’s like the matrix up in here.

Uh-oh!

“Denied!” — Wayne Campbell

You just lost remote access to WORKSTATION1 and ACMECORPDC1. The Acme Corp. SOC spotted you when you remotely executed “C:\windows\backup.exe” via WMI. You can’t just execute files remotely on the ADMIN$ share of a Domain Controller and expect not to get caught. Milk was a bad choice, so was WMI remote process creation on a DC.

You’ll need to regroup and up your tradecraft a bit if you want a shot at getting access to info about those fancy widgets.

Google These

This fictional story was written with the intent to help new defenders understand the very basics of lateral movement. When an attacker lands in a network they’ll typically want to move to other computers, interact with internal services, issue API calls — all with the intent to complete their objectives. Remember: access — movement — storage.

Google these to continue your learning:

  • Attack vectors: You phished your way in. Noice! But there are many other ways to gain access to a computer network. What are they?
  • Domain fronting: Your backdoor was configured to use domain fronting to blend in with legitimate network traffic. So l33t! How does it work?
  • UAC: Your backdoor executed in a medium integrity level. What’s UAC and what are some common ways to bypass it?
  • WDigest: You checked to make sure WDigest was enabled on WORKSTATION1. What are you an APT? What is WDigest and what would have happened if it was disabled?
  • Mimikatz: You dumped Windows credentials like your name was Sisqo. Dumps like a…nevermind. The point is: what is Mimikatz? And why did we need to elevate to a high integrity context before we ran it?
  • C$ / ADMIN$: You mounted administrative shares like they were going out of style. But what’s C$ and what’s ADMIN$?
  • Remote code execution on Windows: Remote process creation via WMI? Google search: “authenticated remote code execution windows” and read all the things.

Leave a comment or tap the Clap button if you enjoyed this post.

Until the next one.

Cybersecurity
Hacking
Hacking For Defense

--

--

Jon Hencinski

Written by Jon Hencinski

64 Followers

Director of SecOps at @expel_io . I Tweet from time-to-time @jhencinski. Here to learn, share what I know, and help others.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams