跳转至

横向移动

攻击者正在尝试在您的环境中移动。

横向移动包括攻击者用来进入和控制网络上的远程系统的技术。实现其主要目标通常需要探索网络以找到目标,然后访问它。实现目标通常涉及通过多个系统和帐户进行透视以获得收益。攻击者可能会安装自己的远程访问工具来完成横向移动,或者将合法凭据与本机网络和操作系统工具一起使用,这些工具可能更隐蔽。

技术: 9

编号 名字 描述
T1210 利用远程服务 攻击者可能会利用远程服务在网络内部未经授权访问内部系统。当攻击者利用程序、服务或操作系统软件或内核本身中的编程错误来执行对手控制的代码时,就会利用软件漏洞。入侵后利用远程服务的一个共同目标是横向移动以允许访问远程系统。
T1534 内部鱼叉式网络钓鱼 攻击者可能会使用内部鱼叉式网络钓鱼来访问其他信息,或者在他们已经有权访问环境中的帐户或系统后利用同一组织内的其他用户。内部鱼叉式网络钓鱼是多阶段活动,其中电子邮件帐户通过以前安装的恶意软件控制用户的设备或破坏用户的帐户凭据来拥有。攻击者试图利用受信任的内部帐户来增加诱骗目标陷入网络钓鱼尝试的可能性。
T1570 横向刀具转移 攻击者可能会在受感染环境中的系统之间传输工具或其他文件。一旦进入受害环境(即入口工具传输),文件就可以从一个系统复制到另一个系统,以在操作过程中暂存对手工具或其他文件。攻击者可能会在内部受害者系统之间复制文件,以支持使用固有文件共享协议的横向移动,例如通过 SMB/Windows 管理员共享将文件共享到连接的网络共享或通过远程桌面协议进行经过身份验证的连接。
T1563 远程服务会话劫持 攻击者可以控制与远程服务的预先存在的会话,以便在环境中横向移动。用户可以使用有效凭据登录到专门设计用于接受远程连接的服务,例如 telnet、SSH 和 RDP。当用户登录到服务时,将建立一个会话,允许他们与该服务保持持续交互。
.001 SSH 劫持 攻击者可能会劫持合法用户的 SSH 会话,以便在环境中横向移动。Secure Shell (SSH) 是 Linux 和 macOS 系统上远程访问的标准方法。它允许用户通过加密隧道连接到另一个系统,通常通过密码、证书或使用非对称加密密钥对进行身份验证。
.002 RDP 劫持 攻击者可能会劫持合法用户的远程桌面会话,以便在环境中横向移动。远程桌面是操作系统中的常见功能。它允许用户使用远程系统上的系统桌面图形用户界面登录到交互式会话。Microsoft 将其远程桌面协议 (RDP) 的实现称为远程桌面服务 (RDS)。
T1021 远程服务 攻击者可以使用有效帐户登录接受远程连接的服务,例如 telnet、SSH 和 VNC。然后,攻击者可以登录用户身份执行操作。
.001 远程桌面协议 攻击者可以使用有效帐户通过远程桌面协议 (RDP) 登录到计算机。然后,攻击者可以登录用户身份执行操作。
.002 SMB/Windows 管理员共享 攻击者可以使用有效帐户通过服务器消息块 (SMB) 与远程网络共享进行交互。然后,攻击者可以登录用户身份执行操作。
.003 分布式组件对象模型 攻击者可以利用分布式组件对象模型 (DCOM) 使用有效帐户与远程计算机进行交互。然后,攻击者可以登录用户身份执行操作。
.004 固态度 攻击者可以使用有效帐户通过安全外壳 (SSH) 登录到远程计算机。然后,攻击者可以登录用户身份执行操作。
.005 VNC 攻击者可以使用有效帐户通过虚拟网络计算 (VNC) 远程控制计算机。VNC 是一个独立于平台的桌面共享系统,它使用 RFB(“远程帧缓冲”)协议,使用户能够通过网络中继屏幕、鼠标和键盘输入来远程控制另一台计算机的显示器。
.006 视窗远程管理 攻击者可以使用有效帐户与使用 Windows 远程管理 (WinRM) 的远程系统进行交互。然后,攻击者可以登录用户身份执行操作。
.007 云服务 攻击者可以使用与本地用户标识同步或联合到本地用户标识的有效帐户登录到受感染环境中的可访问云服务。然后,攻击者可以执行管理操作或以登录用户身份访问云托管的资源。
T1091 通过可移动媒体进行复制 攻击者可能会通过将恶意软件复制到可移动媒体并在媒体插入系统并执行时利用自动运行功能来移动到系统(可能是断开连接或气隙网络中的系统)。在横向移动的情况下,这可能是通过修改存储在可移动媒体上的可执行文件或通过复制恶意软件并将其重命名为合法文件来诱骗用户在单独的系统上执行它来实现的。在初始访问的情况下,这可能是通过手动操作介质、修改用于初始格式化介质的系统或修改介质固件本身来实现的。
T1072 软件部署工具 攻击者可以访问和使用安装在企业网络中的第三方软件套件(如管理、监视和部署系统),以便在网络中横向移动。第三方应用程序和软件部署系统可能在网络环境中用于管理目的(例如,SCCM,HBSS,Altiris等)。
T1080 污点共享内容 攻击者可以通过将内容添加到共享存储位置(如网络驱动器或内部代码存储库)来向远程系统传递有效负载。存储在网络驱动器或其他共享位置的内容可能会因向其他有效文件添加恶意程序、脚本或漏洞利用代码而受到污染。一旦用户打开共享的受污染内容,就可以执行恶意部分以在远程系统上运行对手的代码。攻击者可能会使用受污染的共享内容进行横向移动。
T1550 使用备用身份验证材料 攻击者可能会使用备用身份验证材料(如密码哈希、Kerberos 票证和应用程序访问令牌),以便在环境中横向移动并绕过正常的系统访问控制。
.001 应用程序访问令牌 攻击者可能会使用被盗的应用程序访问令牌来绕过典型的身份验证过程,并访问远程系统上的受限帐户、信息或服务。这些令牌通常是从用户或服务中窃取的,用于代替登录凭据。
.002 传递哈希 攻击者可能会使用被盗的密码哈希“传递哈希”,绕过正常的系统访问控制,在环境中横向移动。传递哈希 (PtH) 是一种在无权访问用户的明文密码的情况下以用户身份进行身份验证的方法。此方法绕过需要明文密码的标准身份验证步骤,直接移动到使用密码哈希的身份验证部分。
.003 通过门票 攻击者可能会使用被盗的 Kerberos 票证“传递票证”,绕过正常的系统访问控制,在环境中横向移动。传递票证 (PtT) 是一种使用 Kerberos 票证向系统进行身份验证的方法,无需访问帐户密码。Kerberos 身份验证可用作横向移动到远程系统的第一步。
.004 网络会话饼干 攻击者可以使用被盗的会话 Cookie 对 Web 应用程序和服务进行身份验证。此技术绕过某些多重身份验证协议,因为会话已经过身份验证。

The adversary is trying to move through your environment.

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Techniques: 9

ID Name Description
T1210 Exploitation of Remote Services Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.
T1534 Internal Spearphishing Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged campaign where an email account is owned either by controlling the user's device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.
T1570 Lateral Tool Transfer Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e. Ingress Tool Transfer) files may then be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB/Windows Admin Shares to connected network shares or with authenticated connections via Remote Desktop Protocol.
T1563 Remote Service Session Hijacking Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.
.001 SSH Hijacking Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.
.002 RDP Hijacking Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).
T1021 Remote Services Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.
.001 Remote Desktop Protocol Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
.002 SMB/Windows Admin Shares Adversaries may use Valid Accounts to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
.003 Distributed Component Object Model Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
.004 SSH Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
.005 VNC Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB ("remote framebuffer") protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.
.006 Windows Remote Management Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
.007 Cloud Services Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchronized with or federated to on-premises user identities. The adversary may then perform management actions or access cloud-hosted resources as the logged-on user.
T1091 Replication Through Removable Media Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
T1072 Software Deployment Tools Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).
T1080 Taint Shared Content Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
T1550 Use Alternate Authentication Material Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.
.001 Application Access Token Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users or services and used in lieu of login credentials.
.002 Pass the Hash Adversaries may "pass the hash" using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user's cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.
.003 Pass the Ticket Adversaries may "pass the ticket" using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account's password. Kerberos authentication can be used as the first step to lateral movement to a remote system.
.004 Web Session Cookie Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.