Investigating lateral movement techniques
When investigating lateral movement techniques, the primary technique that is used is the Exploitation of Remote Services [T1210]. In this technique, the threat actor utilizes a combination of compromised credentials and existing remote access tools such as SMB and RDP to access other systems on the same network. Vulnerabilities such as EternalBlue were widely exploited by threat actors such as NotPetya, as well as malware variants such as Trickbot.
The primary source of data that should be leveraged to identify lateral movement is NetFlow. As we saw in Chapter 9, a review of NetFlow can often reveal the use of SMB or RDP through multiple connections from one or a few machines to the rest of the network over a short period. For example, a systems administrator that is performing remote maintenance on a server within a server LAN segment will RDP to a single box, perform some of the maintenance tasks over say a 10- to 15-minute period, and...
