Fortinet black logo

Administration Guide

Lateral movement based on AD mapping

Copy Link
Copy Doc ID 5e5f427d-b811-11eb-92d0-00505692583a:393363
Download PDF

Lateral movement based on AD mapping

This scenario shows a human attacker trying to compromise an internal endpoint using lateral movements based on AD mapping.

Attack vector scenario

An attacker uses a phishing email to compromise the internal user and get access to an internal endpoint.

The attacker uses the compromised user credentials to passively map the network and collect information without generating network noise.

The attacker uses the compromised user credentials to run LDAP queries against the AD to retrieve asset inventory since all users have read-only access on AD objects.

Leveraging the AD asset inventory saves the attacker from running active port scan mapping that generates network noise that can expose his malicious activity.

Attacker's toolkit for AD attack:
  • PS script or LDAP query command tools to extract company endpoint and server assets.
  • Analyze the hostname to find assets where the hostname reflects their role or dev / test servers that might not be protected like the rest of the network.
Deception layer

Use AD lures that register all decoys at the AD or DNS level.

Use decoy hostname features to configure attractive hostnames.

Use network connection deception lures to inject fake ARP entries and TCP connections to a fake decoy.

Early breach detection

When the attacker retrieves asset inventory from the AD and starts probing the attractive servers based on their hostname or the fake network connection, these activities generate alerts.

Alert details

The FortiDeceptor console presents the alert as a kill chain flow and presents a profile of the attacker. The alert data includes:

  • Attacker username.
    • One of the most critical indicators that provide a quick answer regarding the attacker, attack stage, and phase.
    • A standard user means that the attacker / attack is in the early stage. Admin-level credentials means that the attacker / attack is in the privilege escalation phase or the attack was directed against high profile users from the IT department.
  • Compromised IP address.
    • This is a critical indicator that points directly to the compromised host. Early detection prevents more persistent points by the attacker.
  • Malicious binary.
    • For example, if the attacker engages with a decoy over RDP, the attacker will likely use malicious code to get more persistent and privilege access. So having malicious binary as a piece of evidence with the full binary analysis helps IOC look across the network for more compromised endpoints. You can use an IOC scanner or AV/EDR API to find the indicators across network endpoints and servers.
ECO system flow:
  • Send alerts to your SIEM solution.
  • Use your FortiGate Fabric integration to isolate the compromised endpoint from the network.
  • Deploy more decoys on the isolated segment to keep monitoring the compromised endpoint.

Lateral movement based on AD mapping

This scenario shows a human attacker trying to compromise an internal endpoint using lateral movements based on AD mapping.

Attack vector scenario

An attacker uses a phishing email to compromise the internal user and get access to an internal endpoint.

The attacker uses the compromised user credentials to passively map the network and collect information without generating network noise.

The attacker uses the compromised user credentials to run LDAP queries against the AD to retrieve asset inventory since all users have read-only access on AD objects.

Leveraging the AD asset inventory saves the attacker from running active port scan mapping that generates network noise that can expose his malicious activity.

Attacker's toolkit for AD attack:
  • PS script or LDAP query command tools to extract company endpoint and server assets.
  • Analyze the hostname to find assets where the hostname reflects their role or dev / test servers that might not be protected like the rest of the network.
Deception layer

Use AD lures that register all decoys at the AD or DNS level.

Use decoy hostname features to configure attractive hostnames.

Use network connection deception lures to inject fake ARP entries and TCP connections to a fake decoy.

Early breach detection

When the attacker retrieves asset inventory from the AD and starts probing the attractive servers based on their hostname or the fake network connection, these activities generate alerts.

Alert details

The FortiDeceptor console presents the alert as a kill chain flow and presents a profile of the attacker. The alert data includes:

  • Attacker username.
    • One of the most critical indicators that provide a quick answer regarding the attacker, attack stage, and phase.
    • A standard user means that the attacker / attack is in the early stage. Admin-level credentials means that the attacker / attack is in the privilege escalation phase or the attack was directed against high profile users from the IT department.
  • Compromised IP address.
    • This is a critical indicator that points directly to the compromised host. Early detection prevents more persistent points by the attacker.
  • Malicious binary.
    • For example, if the attacker engages with a decoy over RDP, the attacker will likely use malicious code to get more persistent and privilege access. So having malicious binary as a piece of evidence with the full binary analysis helps IOC look across the network for more compromised endpoints. You can use an IOC scanner or AV/EDR API to find the indicators across network endpoints and servers.
ECO system flow:
  • Send alerts to your SIEM solution.
  • Use your FortiGate Fabric integration to isolate the compromised endpoint from the network.
  • Deploy more decoys on the isolated segment to keep monitoring the compromised endpoint.