Threat Vectors: Leveraging Microsoft Azure ATP Lateral Movement Paths
While the ability to monitor network traffic in and out of your network, sometimes known as North-South traffic, is well known, understood, and managed, there is a greater risk that is more challenging. Monitoring the traffic inside of your network that never leaves the boundaries of your systems, also sometimes known as the East-West traffic, can be very difficult.
Multiple data paths, routes, VLANs, and a plethora of interconnected devices can make it nearly impossible to manage all internetworking communications. Even when possible, knowing what to look for is a challenge in itself. Harmful traffic can masquerade as legitimate between users and servers and threat actors, either malicious or not, can wreak havoc intentionally or accidentally with you being none the wiser until it’s too late. In some instances, threats can remain dormant or resident, completely undetected for months or years.
We focus all of our time and energy into keeping the bad guys out, but what do we do about the bad guys that are already in the system? From a cybersecurity perspective, “Lateral Movement” is when a malicious entity leverages everyday user or sometimes service accounts to gain access to sensitive accounts through privilege escalation or other means.
Lateral Movement is used by cybercriminals to identify and then gain access to sensitive accounts and machines in the infrastructure that share stored log-in credentials in objects such as accounts, groups, and computers. Once successful, an attacker can even potentially access domain controllers where the real goodies are kept. Scary stuff!
These attacks can be complex and diverse, so I’ll spare the detail here; just know many exist. It sounds like a losing battle, but there is a way to handle this threat to your organisation. Enter Microsoft Azure Advanced Threat Protection (ATP) and its Lateral Movement Paths (LMP).
What Is It?
Azure ATP Lateral Movement Paths are visual guides that identify how attackers can move around inside your infrastructure. In terms of the cyber kill chain, these movements are intended to leverage non-privileged accounts to gain access to privileged accounts. This, in turn, leads to control, sometimes referred to as “domain dominance”. Think of it like usurping the king or queen (and how often in technology can we use the word ‘usurp’? But I digress)
Azure ATP LMPs provide guidance in an easy-to-follow visual form for these sensitive accounts that serve as the target for compromises. With this information, you are able to prevent and mitigate risks, ideally foiling a successful attack. It should be worth noting again that it’s not always about the external threat actors; often more threat actors are already present in your system than you realise. Think disgruntled staff or business partners, even those that may not be physically part of the business but still have a level of access.
The methods to achieve this compromise are numerous, but the most common ones I have encountered tend to be credential theft and “Pass The Ticket”. Credential theft may be a bit more straightforward to understand because it means somehow acquiring elevated credentials from stored, shared, or cached locations.
Pass The Ticket is less understood. An attacker is able to extract a Kerberos Ticket Granting Ticket (TGT) from memory on a system and then use this on another system to request Kerberos service tickets (TGS), gaining access to network resources. Unlike a “Pass The Hash” attack where the credentials are valid until a password is changed, a Pass The Ticket attack is only valid for the lifetime of the ticket — typically 10 hours by default. But hey, once you’re in, you’re in and you can create your own access. Common tools used for this exploit include Mimikatz and Rubeus and I’ll avoid explaining these in detail here.
ATP LMP sniffs out these potential attack vectors so you can take the appropriate actions. In order to access Azure ATP LMPs, you must have a valid subscription to access the Azure ATP suite such as Enterprise Mobility + Security 5 suite (EMS E5) but it is also available as a standalone license. If you have any questions on getting ATP, please reach out to us any time.
Where Do I Start?
With regards to Lateral Movement Paths, the best place to start is to conduct an investigation into potential LMPs. This is followed by discovering sensitive accounts that may be at risk and then reviewing the reports. It’s a fairly straightforward process but if you’re unsure, be sure to get some help.
The activities are performed from within the ATP portal of your Azure subscription, so at least you’re working entirely within your own Microsoft Ecosystem. You can search by an entity and then explore by either the path or activity. You then search for a user or computer object but will note that if there is a badge on the account (tagged as “Sensitive”) then it has been determined to be in an LMP already (it usually takes up to 48 hours to catch up). When you find what you’re looking for, the very bottom should have a “LATERAL MOVEMENT PATHS” tab to explore.
This tab will show if there are LMPs to the object. If there is no data, there’s been no LMPs in the last 48 hours, but please change your date range to investigate because an LMP may have previously existed and I’d like to be comfortable knowing if there might be a possibility it can reappear — or if it has been dealt with already. The graphs are kind of like a “follow the bouncing ball” visualisation of an attack vector to sensitive assets; no more sifting through thousands of line in log files and trying to draw conclusions on your own!
You may be thinking that you have to do this one by one for each sensitive object but fortunately, Microsoft is already a step ahead. From the ATP portal, you can generate a report that will give you’re the details for the last 60 days. Under “Lateral movements paths to sensitive accounts”, if there are no potential LMPs, the report is greyed out (and this universally means “Not Available”). If there are, however, potential LMPs, the report pre-selects the first date when relevant data first appeared and then provides data up to 60 days.
The report can be scheduled, so if you’re like me and want to keep current but without having to go digging every time, scheduling a report might be your best option. Now that you’re started and can find LMPs and sensitive objects, what do we do next?
How do I make It Work?
Once you’ve run a discovery process, every computer or user object discovered by Azure ATP to be part of an LMP will have an extra tab for lateral movement. If there are devices that do not have this tab, they’re not considered in the scope of a potential LMP. That part is fairly easy. Azure ATP will keep this up to date so you’re always working with the most current information. You can search, drill down into the objects and view graphs, and generate reports (and I’m hoping you’ve set up scheduled reports as well).
Once you receive an alert in the timeline, you’ll want to drill down into the entity involved and explore some of the parameters so you can figure out what happened and what to do about it. These include checking the entity profile and tags, checking user control flags, and cross-checking with Windows Defender (I’ll cover Defender in another blog). From there you can monitor sensitive objects, review the potential LMPs, and check the “honeytoken” status. A “honeytoken” here is a honeypot that isn’t an actual computer and used not to monitor for use but abuse. Essentially this is bogus data that is part of legitimate data that can be tracked for forensics. More on that in another blog.
Entity Profile: This gives you a detailed page designed for full deep-dive investigation of objects (such as users, computers, devices, and their associated resources and historical access data). This uses the new Azure ATP logical activity translator that examines activities occurring (and even aggregates it up to a minute), grouping the details into a single logical activity for better understanding of actual activities. Less legwork on your part is always welcome.
Entity Tags: Azure ATP leverages Active Directory tags to provide a single interface for monitoring your AD objects. These give helpful information on its AD status such as Partial (some attributes available), Unresolved (doesn’t look to be a valid object), Deleted, Disabled, Locked, Expired, and New (all self-explanatory but “New” usually means less than a month old)
Control Flags: Also imported from AD, there are 10 flags that help us investigate the entity. Some of the useful ones include “Password Never Expires”, “Empty Password Allowed”, and “Plain Text Password Stored”. The display will highlight the relevant flags for the entity. Personally, I tend to go looking at how well the account is maintained so issues around the passwords are a big one for me.
Windows Defender: This is a nice piece of correlation data to see if the entity has any corresponding Defender alerts which help paint the picture more clearly.
Monitor Sensitive Objects: This is where certain object types are considered sensitive and ATP allows you to keep a closer watch of them. These include operators, administrators (especially domain and enterprise), power users, domain controllers, and more. Of course, if there are items you consider sensitive, you can manually tag them as well.
Review LMPs: This is what it’s all about, folks. If an LMP exists for an entity, in the profile page you can access the LMP tab. The diagram provides a map of possible paths to your sensitive object.
Honeytokens: It’s important to understand which objects are honeytokens. Ideally, you would have tagged these objects as such so you don’t mistakenly treat it as a real sensitive object, but rather as a way to investigate the way one would have been accessed and abused. I don’t care if someone screams “entrapment”, the rules are the rules and they’re only mad because they got caught!
The most common pitfalls tend to be the ones exposed by lateral movement exploits but are also the same ones we tend to rely on to do our jobs. Using regular user accounts with elevated privileges may seem like a time-saver, but it creates unnecessary risk. This is something the LMPs will pick up and flag as a risk.
The best mitigation here is to make sure that sensitive users only use their administrator credentials when logging into hardened computers; separate accounts are the best fix (and NOT using privileged accounts for daily tasks not directly related to system administration) Be extra careful around shared computers.
I’d also recommend that you verify that your users do not have unnecessary administrative permissions. When it comes to shared groups, check if everyone actually requires elevated privileges. Don’t give access unless it is absolutely required, and never just because of their position. High-value targets like C-level executives with admin rights are very high on the priority lists of cybercriminals.
Something else to watch for is that when there are no potential LMPs detected for an entity in the last 48 hours, modify the date range to get a broader overview of previous potential LMPs. The LMP reports are always available if LMPs were previously discovered and give information about potential LMPs to sensitive users.
And make sure you have the ability to allow Azure ATP to actually do the work it needs to by configuring the Security Account Manager — Remote (SAM-R) to allow the necessary LMP path detections. It’s pretty easy to think you have no problems when none are recorded but I’d expect in nearly every case to at least find several LMPs.
Ghosts in the Machine?
The ghosts in the machine to be concerned about are the ones that you’ll discover using this service. What I have found while investigating security alerts (a common one is Remote Code Execution) is that if the alert is a true positive, the network may already be compromised. At least the LMPs give me the forensics to indicate where the attacker gained the elevated privileges, what path they used to compromise your network, and crucially, how to remediate the issue.
While all of these insights are great in trying to prevent the next attack and remediate issues, you need to actually do something with the information. Be sure to review all of the LMP information presented and to do so on a regular basis, including the reports. You’ll often find that you have many of the required pieces in place to make the necessary remediation.
Most of all, don’t hesitate to ask for help when you need it; we’re always happy to help!
Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party. The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such. Appropriate legal advice should be obtained in actual situations. All images, unless otherwise credited, are licensed through Shutterstock