During network authentication, reusable credentials are not sent to the remote system. Network Logon (Type 3): Network logons occur when an account authenticates to a remote system/service.Without diving too deep into Windows authentication, access tokens reference logon sessions which is what’s created when a user logs into Windows. In another way, it contains your identity and states what you can and can’t use on the system. Every process executed on behalf of this user has a copy of this access token. When a user’s credentials are authenticated, the system produces an access token. When a user logs on, the system verifies the user’s password by comparing it with information stored in a security database. The information in a token includes the identity and privileges of the user account associated with the process or thread. Access Token : Per Microsoft’s documentation: An access token is an object that describes the security context of a process or thread.Similar to how a port can listen for connections, a named pipe can also listen for requests. Named Pipe : A way that processes communicate with each other via SMB (TCP 445).
There’s several different lateral movement techniques out there and I’ll try to cover the big ones and how they work from a high level overview, but before doing covering the methods, let’s clarify a few terms. In addition, I understand not everyone has Cobalt Strike, so Meterpreter is also referenced in most examples, but the techniques are universal. I’ll be referencing some Cobalt Strike syntax throughout this post, as it’s what we primarily use for C2, however Cobalt Strike’s built-in lateral movement techniques are quite noisy and not very OpSec friendly.
The purpose is of this blog post is to not only show the techniques, but to show what is happening under the hood and any high-level indicators associated with them. hiding in plain sight to avoid detection. The difficulty with lateral movement is doing it with good operational security (OpSec) which means generating the least amount of logs as possible, or generating logs that look normal, i.e.
The problem with this is that offensive PowerShell is not a new concept anymore and even moderately mature shops will detect on it and shut it down quickly, or any half decent AV product will kill it before a malicious command is ran. Penetration testers and red teamers alike commonly used to accomplish this by executing powershell.exe to run a base64 encoded command on the remote host, which would return a beacon.
Lateral movement is the process of moving from one compromised host to another.
0 kommentar(er)
