Lateral Movement

Most lateral movement techniques like PSexec, PSRemoting, DCOM, and WMIexec are detected only if it's "abnormal traffic." If these technologies are used often by the user, like help desk commonly RDPing to workstations to help fix technical problems, then it will be safe to use that as it is considered "normal behavior."

But, there are other more stealthy ways to move laterally apart from using those technologies.

Over-Pass-The-Hash

Using only NTLM hashes to OPTH will be flagged by ATA as an encryption downgrade or unusual protocol implementation.

To generate kerberos tickets that will not be flagged, supply NTLM and AES keys and set the lifetime of the ticket to a normal value

kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<SID> /aes128:<AES_KEY> /NTLM:<NTLM_HASH> /aes256:<AES_KEY> /endin:600 /renewmax:300 /ptt

Note that you can supply all zeroes for the aes128 key and it will not be flagged.

SQL

Moving laterally through SQL databases is not detected due to the fact that no traffic goes to the DC. All SQL authentication events are local to the server. We can find passwords and hashes of a privileged user, impersonate that user, and go on from there.

Silver Tickets

Using Kerberoasting and Silver Tickets are a good way to move laterally as Kerberoasting blends in with regular traffic and silver tickets have no communication with the DC whatsoever since its a forged TGS.

Make sure to slowly kerberoast users as kerberoasting all at once will cause spikes of traffic which may cause alerts.

We can slowly enumerate user objects with an SPN, by OU:

 Get-DomainUser -SPN -SearchBase “ldap://OU=office,DC=...”

Then perform recon on groups that have access on various targets of interest:

Get-DomainGroup -MemberIdentity <user>

And then kerberoast that target if applicable:

Get-DomainUser <user> | Get-DomainSPNTicket | fl *

Beware of Honeypot SPNs, factor in last logon, creation date etc. to identify these types of accounts

If we successfully crack the hash, we can then create a silver ticket

kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<SID> /rc4:<AES_KEY> /endin:600 /renewmax:300 /service:<SERVICE> /target:<TARGET_COMPUTER> /ptt

Modification of Sensitive groups

If any of these sensitive groups are modified(like adding an account or changing passwords), These will be flagged for abnormal activity.

As a result, we can target other privileged groups like SQL admins or Help desk users.

Golden Tickets

The same logic applies to silver tickets to golden tickets as well, if we only supply the NTLM hash, it will be flagged as an encryption downgrade.

To subvert this, include all AES keys, note that if the length of the ticket is alive for more than 8 hours than its use, it is going to be flagged. So for extra stealthyness, create the ticket for like 20 minutes, use the ticket, and instantly destroy the ticket after:

kerberos::golden /user:JohnVanwagoner /domain:prod.local /sid:sid /aes256:aes256 /groups:512,513,519 /startoffset:-1 /endin:2500 /renewmax:3000 /ptt 

Last updated