Fortinet black logo

Administration Guide

Compromised internal endpoint using lateral movement

Copy Link
Copy Doc ID f93d05fe-c1b1-11ec-9fd1-fa163e15d75b:335477
Download PDF

Compromised internal endpoint using lateral movement

This scenario shows a human attacker trying to compromise an internal endpoint using lateral movements.

Attack vector scenario

An attacker uses a phishing email to compromise the internal user and get access to an internal endpoint.

The attacker then explores the compromised endpoint and collect intelligence on the network before running any privileged escalation or lateral movement.

Attacker's possible first steps on the compromised endpoint:
  • Use network commands to understand the network environment and the endpoint location, such as getting information on critical servers and sensitive application locations.
  • Access the local / network drive to find information like sensitive files, credentials, and more. The attacker is building the lateral movement route.
  • Extract / dump saved password from Windows Credential Manager, browser, or memory, whether in clear text or hashed.
Deception layer

Use SMB deception lures that generate fake network drive fronts with a file server decoy with fake files. The fake network drive configuration is hidden to avoid users from opening it and generating false alerts. Keep in mind that the SMB lure also inserts fake credentials to the Windows credentials manager as well.

Use RDP deception lures that store saved usernames and passwords in the Windows Credential Manager that provides access to a Windows / Linux server decoy.

Use Cached credentials lures that inject saved usernames and passwords in the Windows memory to detect attacks using password dump like Mimikatz. Use a real domain user with IP restrictions.

Early breach detection

Since most users store data on the network drive, when an attacker finds that the compromised endpoint has a local disk and network drive, the attacker will likely access the fake network drive and generate alerts.

Attackers might use a tool like MIMIKATZ to extract clear-text password. An attacker engaging with a decoy using the extracted password generates alerts.

Alert details

The FortiDeceptor console presents the alert as a kill chain flow and presents a profile of the attacker. The alert data includes:

  • Attacker username.
    • One of the most critical indicators that provide a quick answer regarding the attacker, attack stage, and phase.
    • A standard user means that the attacker / attack is in the early stage. Admin-level credentials means that the attacker / attack is in the privilege escalation phase or the attack was directed against high profile users from the IT department.
  • Compromised IP address.
    • This is a critical indicator that points directly to the compromised host. Early detection prevents more persistent points by the attacker.
  • Data that has been accessed by the attacker.
    • To see what data an attacker wants to access and steal, one way is to deploy interesting fake data that resembles your organization's real data.
    • Another way is to deploy a decoy file server with a structure that contains at least ten fake directories that resemble your organization’s real server.
    • You can monitor what data the attacker accesses or copies to assess the attacker's goal.
  • Malicious binary.
    • For example, if the attacker engages with a decoy over RDP, the attacker will likely use malicious code to get more persistent and privilege access. So having malicious binary as a piece of evidence with the full binary analysis helps IOC look across the network for more compromised endpoints. You can use an IOC scanner or AV/EDR API to find the indicators across network endpoints and servers.
ECO system flow:
  • Send alerts to your SIEM solution.
  • Use your FortiGate Fabric integration to isolate the compromised endpoint from the network.
  • Deploy more decoys on the isolated segment to keep monitoring the compromised endpoint.

Compromised internal endpoint using lateral movement

This scenario shows a human attacker trying to compromise an internal endpoint using lateral movements.

Attack vector scenario

An attacker uses a phishing email to compromise the internal user and get access to an internal endpoint.

The attacker then explores the compromised endpoint and collect intelligence on the network before running any privileged escalation or lateral movement.

Attacker's possible first steps on the compromised endpoint:
  • Use network commands to understand the network environment and the endpoint location, such as getting information on critical servers and sensitive application locations.
  • Access the local / network drive to find information like sensitive files, credentials, and more. The attacker is building the lateral movement route.
  • Extract / dump saved password from Windows Credential Manager, browser, or memory, whether in clear text or hashed.
Deception layer

Use SMB deception lures that generate fake network drive fronts with a file server decoy with fake files. The fake network drive configuration is hidden to avoid users from opening it and generating false alerts. Keep in mind that the SMB lure also inserts fake credentials to the Windows credentials manager as well.

Use RDP deception lures that store saved usernames and passwords in the Windows Credential Manager that provides access to a Windows / Linux server decoy.

Use Cached credentials lures that inject saved usernames and passwords in the Windows memory to detect attacks using password dump like Mimikatz. Use a real domain user with IP restrictions.

Early breach detection

Since most users store data on the network drive, when an attacker finds that the compromised endpoint has a local disk and network drive, the attacker will likely access the fake network drive and generate alerts.

Attackers might use a tool like MIMIKATZ to extract clear-text password. An attacker engaging with a decoy using the extracted password generates alerts.

Alert details

The FortiDeceptor console presents the alert as a kill chain flow and presents a profile of the attacker. The alert data includes:

  • Attacker username.
    • One of the most critical indicators that provide a quick answer regarding the attacker, attack stage, and phase.
    • A standard user means that the attacker / attack is in the early stage. Admin-level credentials means that the attacker / attack is in the privilege escalation phase or the attack was directed against high profile users from the IT department.
  • Compromised IP address.
    • This is a critical indicator that points directly to the compromised host. Early detection prevents more persistent points by the attacker.
  • Data that has been accessed by the attacker.
    • To see what data an attacker wants to access and steal, one way is to deploy interesting fake data that resembles your organization's real data.
    • Another way is to deploy a decoy file server with a structure that contains at least ten fake directories that resemble your organization’s real server.
    • You can monitor what data the attacker accesses or copies to assess the attacker's goal.
  • Malicious binary.
    • For example, if the attacker engages with a decoy over RDP, the attacker will likely use malicious code to get more persistent and privilege access. So having malicious binary as a piece of evidence with the full binary analysis helps IOC look across the network for more compromised endpoints. You can use an IOC scanner or AV/EDR API to find the indicators across network endpoints and servers.
ECO system flow:
  • Send alerts to your SIEM solution.
  • Use your FortiGate Fabric integration to isolate the compromised endpoint from the network.
  • Deploy more decoys on the isolated segment to keep monitoring the compromised endpoint.