SOLVED

Mitigating Lateral Movement Attacks

%3CLINGO-SUB%20id%3D%22lingo-sub-353962%22%20slang%3D%22en-US%22%3EMitigating%20Lateral%20Movement%20Attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-353962%22%20slang%3D%22en-US%22%3E%3CP%3EAs%20I%20understand%20it%2C%20the%20risk%20of%20a%20lateral%20movement%20attack%20is%20increased%20where%20sensitive%20users%20(e.g.%20domain%20admins)%20log%20onto%20the%20same%20machine%20as%20std%20users%20(with%20Internet%20access%20%2F%20email%20access%20%2F%20etc)%20who%20also%20have%20local%20admin%20access%20to%20the%20machine.%26nbsp%3B%20The%20attack%20vector%20being%20that%20an%20adversary%20could%20compromise%20the%20user%20account%20and%20then%20(using%20their%20local%20admin%20permissions)%20harvest%20the%20domain%20admin%20%E2%80%98cached%20user%20credentials%E2%80%99%20stored%20on%20the%20machine%2C%20thus%20facilitating%20further%20propagation%20across%20the%20network.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CEM%3EIf%20we%20set%20the%20%E2%80%98previous%20logins%20cached%E2%80%99%20to%200%20for%20all%20our%20servers%2C%20does%20this%20remove%20the%20risk%20from%20lateral%20movement%20paths%3F%3C%2FEM%3E%3C%2FSTRONG%3E%26nbsp%3B%20If%20there%20are%20no%20%E2%80%98cached%20user%20credentials%E2%80%99%20on%20the%20server%20then%20the%20presence%20of%20both%20users%20with%20local%20admin%20access%2C%20and%20users%20with%20domain%20access%20shouldn%E2%80%99t%20be%20an%20issue%2C%20as%20an%20adversary%20wouldn%E2%80%99t%20be%20able%20to%20harvest%20any%20%E2%80%98cached%20user%20credentials%E2%80%99%20%E2%80%93%20thus%20removing%20the%20risk%20from%20lateral%20movement%20paths%20(even%20though%20this%20would%20still%20be%20flagged%20in%20ATA).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20seems%20like%20a%20simple%20solution%20to%20the%20problem%20of%20Lateral%20Movement%20Attacks%20however%20I%20have%20not%20seen%20it%20mentioned%20anywhere.%26nbsp%3B%20Am%20I%20correct%20or%20are%20there%20other%20factors%20negating%20this%20as%20a%20control%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-358810%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20Lateral%20Movement%20Attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-358810%22%20slang%3D%22en-US%22%3E%3CP%3EAlso%20to%20clarify%20the%20latermal%20movement%20path%20with%20identify%20where%20a%20sensitive%20user%20has%20logged%20onto%20a%20machine%20where%20there%20is%20a%20non-sensitive%20user%20who%20is%20a%20member%20of%20the%20local%20administrators%20group.%20AATP%20will%20also%20then%20calculate%20the%20paths%20to%20this%20machine.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354072%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20Lateral%20Movement%20Attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354072%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you.%26nbsp%3B%20That's%20is%20very%20helpful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354067%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20Lateral%20Movement%20Attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354067%22%20slang%3D%22en-US%22%3ECredentials%20stored%20in%20Credential%20manager%2C%20LSASS%20memory%20and%20other%20locations%2C%20but%20not%20cached%20credentials.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354052%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20Lateral%20Movement%20Attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354052%22%20slang%3D%22en-US%22%3E%3CP%3EThanks.%26nbsp%3B%20Which%20credentials%20does%20a%20lateral%20transfer%20attack%20use%20if%20it%20doesn't%20use%20the%20domain%20authenticated%20cached%20credentials%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-354045%22%20slang%3D%22en-US%22%3ERe%3A%20Mitigating%20Lateral%20Movement%20Attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-354045%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3ECached%20credentials%20are%20used%20to%20verify%20authenticating%20user%20when%20there%20is%20no%20connectivity%20to%20the%20DC%20and%20not%20used%20for%20lateral%20movement%20since%20they%20are%20only%20valid%20for%20the%20machine%20itself.%20In%20addition%2C%20the%20hash%20is%20different%20than%20those%20used%20for%20NTLM%2FKerberos%20so%20it%20won't%20be%20useful%20for%20moving%20laterally.%20Also%20they're%20considered%20quite%20hard%20to%20reverse%2Fbreak%2C%20so%20limiting%20the%20cached%20creds%20to%200%20or%201%20would%20only%20cause%20issues%20than%20help.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

As I understand it, the risk of a lateral movement attack is increased where sensitive users (e.g. domain admins) log onto the same machine as std users (with Internet access / email access / etc) who also have local admin access to the machine.  The attack vector being that an adversary could compromise the user account and then (using their local admin permissions) harvest the domain admin ‘cached user credentials’ stored on the machine, thus facilitating further propagation across the network. 

 

If we set the ‘previous logins cached’ to 0 for all our servers, does this remove the risk from lateral movement paths?  If there are no ‘cached user credentials’ on the server then the presence of both users with local admin access, and users with domain access shouldn’t be an issue, as an adversary wouldn’t be able to harvest any ‘cached user credentials’ – thus removing the risk from lateral movement paths (even though this would still be flagged in ATA).

 

This seems like a simple solution to the problem of Lateral Movement Attacks however I have not seen it mentioned anywhere.  Am I correct or are there other factors negating this as a control?

5 Replies
Highlighted
Best Response confirmed by chrispay (New Contributor)
Solution
Hi,
Cached credentials are used to verify authenticating user when there is no connectivity to the DC and not used for lateral movement since they are only valid for the machine itself. In addition, the hash is different than those used for NTLM/Kerberos so it won't be useful for moving laterally. Also they're considered quite hard to reverse/break, so limiting the cached creds to 0 or 1 would only cause issues than help.
Highlighted

Thanks.  Which credentials does a lateral transfer attack use if it doesn't use the domain authenticated cached credentials?

Highlighted
Credentials stored in Credential manager, LSASS memory and other locations, but not cached credentials.
Highlighted

Thank you.  That's is very helpful.

Highlighted

Also to clarify the latermal movement path with identify where a sensitive user has logged onto a machine where there is a non-sensitive user who is a member of the local administrators group. AATP will also then calculate the paths to this machine.