Unorthodox Lateral Movement: Stepping Away from the Standard Tradecraft
During red team operations or any other form of internal penetration test, moving from one host to another is often essential to compromise critical assets and reach the engagement’s objectives. With the advancement in Windows-based post-exploitation tradecraft and threat reports from the most recent and impactful breaches, it is clear how crucial it is to laterally whilst flying under the radar of blue teams and their security products.
The talk will provide insights into a variety of techniques, both new and revisited classics that were proven to work and evade most of the detections in highly scrutinised environments. Having a set of lateral movement techniques that are both reliable and stealthy always pays dividends in more strategic and mature engagements. In addition to the above, detection strategies will be provided where possible, to maximise the chances of spotting these attacks in your environments.
In this talk I will present a variety of both known and unknown lateral movement techniques that can be used in a red teaming context to help the operator to execute code on a remote host whilst flying under the radar of the blue team. We will also analyze ways of blocking the EDR sensors from communicating back to their tenant and help us achieving a considerable level of operational security. Detection recommendations are provided alongside with the relevant IoCs to enable defenders to detect those kind of attacks in their network.