A big portion of breaching an organization’s infrastructure involves challenging normal procedures and processes. A red team’s main purpose is to simulate adversary activities and help the security administrators understand, monitor, and remediate the threats.
As a security researcher, I’m constantly looking for new ways to simulate advanced lateral movement, sophisticated Active Directory escalation, persistence, and exfiltration. One of our recent areas of focus has been on defeating network and domain boundaries by moving laterally within the network, with a focus on pivoting from unsecured networks to isolated secure networks.
One of the most common attack methods used by all adversaries is email, mostly because of the ease of use. Phishing attacks have always been a major source of worry for organizations. Over the last year, we have witnessed more organizations and individuals targeted by phishing campaigns designed to capture an employee’s login credentials. Recently, the FBI’s Internet Crime Complaint Center (IC3) issued a warning regarding some of those threats targeting the online payroll accounts of employees in a variety of industries.
My team and I decided to dig deeper into simulating how a skilled adversary can easily pivot to a compromised network segment by abusing commonly used email applications. Many email clients are built right into modern operating systems and can potentially help facilitate lateral movement.
The techniques described here are considered as post-exploitation, which means the user account has been breached and the adversary has full control over the user’s workstation.
In many cases, adversaries use compromised account credentials to access employees’ email in order to change their bank account information, sometimes adding a malicious Outlook rule to prevent the user from receiving alerts regarding a deposit or withdraw change. There are many account breach vectors, including phishing and password spraying.
By performing a phishing campaign, the adversary can easily gain system access to a user’s workstation and can obviously control the installed mail client and all related communication. Instead of targeting users outside the organization by sending phishing emails or using cloud services to sync malicious metadata, the adversary can control all communication. Let’s take this concept one step further to see how local access to an email client advances our agenda to pivot from network to network.
Use Case 1
Many times, advanced adversaries establish an internal command and control server (commonly referred to as a C2 server) to be used as a jump server to the outside world. The jump server can act as middleware between the infected workstations and an external C2 server. The internal C2 server can also be used as a man-in-the-middle proxy or a watering hole site. The adversaries can easily manipulate all mail hyperlinks shared by the compromised user/workstation to redirect the recipients to an internal watering hole website, bypassing many of the link detection and firewall application control mechanisms.
Use Case 2
Let’s look at how we can build on top a known attack technique “fileshare infection” to pivot on an internal network using a compromised mail application. First, the adversaries must have the ability to weaponize a legitimate file. They would do this by focusing on widely used shared files by email platforms. There are many exploit options available online for free, including Office documents, PDF documents, and archive file vulnerabilities.
Now imagine what happens when a user’s workstation is compromised. We all know many users love to share documents with their colleagues through email. The attacker has gained full control over email communication and can now inject malicious code into legitimate office files. These malicious files are now shared over a legitimate mail channel, which means that the adversaries use actual email correspondence instead of faking and acting on behalf of the user. The user would then reply or create a new email message using the malicious file. The mail recipient does not suspect that anything is wrong and opens the malicious file, exploiting the responsible file application.
As collateral damage, they can dump the global address book of the company and conduct a targeted phishing campaign against high-value targets such as IT or executive management.
Use Case 3
Instead of exploiting vulnerabilities in common files as described above, an adversary can use a much stealthier technique to leak credentials in the form of NTLM hashes to an internal C2 server. Usually, this is achieved by silently forcing a file application to authenticate against the C2 server using a specific protocol such as Server Message Block (SMB). The adversary can use the C2 to relay the received authentication attempt to any network protocol supporting NTLM authentication.
Microsoft has issued an optional security enhancement (Microsoft Advisory ADV170014) that provides organizations with the ability to disable NTLM single sign-on authentication as a method for public resources. However, this method is usually inefficient for internal resource communication, and in many cases will allow an internal network boundary bypass. A much more efficient way to mitigate this threat is by forcing NTLM signing on client and servers.
All the above examples show how linking several existing techniques together can be combined into one or more complex attack flows to achieve lateral movement and pivoting inside a network. Our team has demonstrated that this approach together with scalable automation is highly efficient and can be used to gain control over critical targets in real enterprise environments.
Igal Gofman is Head of Security Research at XM Cyber. He has a proven track record in network security, research-oriented development, and threat intelligence. His research interests include network security, intrusion detection, operating systems, and Active Directory. Prior … View Full Bio