Fortinet black logo

Administration Guide

Lateral movement based on Mimikatz / PTH

Copy Link
Copy Doc ID 666526c9-6f4b-11ed-8e6d-fa163e15d75b:555436
Download PDF

Lateral movement based on Mimikatz / PTH

This scenario shows a human attacker trying to compromise an internal endpoint using lateral movements based on Mimikatz / PTH.

Attack vector scenario

An attacker uses a phishing email to compromise the internal user and get access to an internal endpoint.

The attacker looks for any powerful user in the compromised endpoint.

The attacker / APT uses an advanced tool like Mimikatz to run several attacks to extract clear text passwords from memory or Windows Credential Manager, AD Kerberos tickets, Windows local hash, and so on.

The Mimikatz tool's goal is to get administrator-level permission and run in-depth lateral movement across the network.

Attacker's toolkit:
  • Tools like Mimikatz, Meterpreter, password dump, and so on.
  • Leverage services like RDP, RPC, WMI, VNC, SSH, and WINRM for lateral movement.
Deception layer
  • Deploy Windows decoys and add them to the network Domain.

  • Add DNS A record using attractive hostnames for all domain decoys' IP addresses. Each decoy supports up to 24 IPs.

  • Use SMB deception lures that generate a fake network drive share on the endpoint that mapped front a file server decoy with fake files. The fake network drive configuration is hidden to prevent users from opening it and generating false alerts. Keep in mind that the SMB lure also inserts fake credentials to the Windows Credential Manager as well.

  • Use RDP deception lures that store saved usernames and passwords in the Windows Credential Manager that provides access to a Windows / Linux server decoy.

  • Use Cached credentials lures that inject saved usernames and passwords in the Windows memory to detect attacks using password dump like Mimikatz. Use a real domain user with IP restrictions.

Early breach detection

An attacker using fake credentials in the sRDP lure to engage with a decoy generates alerts.

An attacker engaging with a real asset using the fake username and password (in the cache credential lure) generate an alert on the SIEM solution. This requires a SIEM correlation rule.

Alert details

The FortiDeceptor console presents the alert as a kill chain flow and presents a profile of the attacker. The alert data includes:

  • Attacker username.
    • One of the most critical indicators that provide a quick answer regarding the attacker, attack stage, and phase.
    • A standard user means that the attacker / attack is in the early stage. Admin-level credentials means that the attacker / attack is in the privilege escalation phase or the attack was directed against high profile users from the IT department.
  • Compromised IP address.
    • This is a critical indicator that points directly to the compromised host. Early detection prevents more persistent points by the attacker.
  • Malicious binary.
    • For example, if the attacker engages with a decoy over RDP, the attacker will likely use malicious code to get more persistent and privilege access. So having malicious binary as a piece of evidence with the full binary analysis helps IOC look across the network for more compromised endpoints. You can use an IOC scanner or AV/EDR API to find the indicators across network endpoints and servers.
ECO system flow:
  • For SIEM:
    • Send alerts to your SIEM solution.
    • Create a correlation rule that creates an alert on using the fake username (cache credential lure.
  • Use your FortiGate Fabric integration to isolate the compromised endpoint from the network. FortiDeceptor offers more fabric connectors for isolation.
  • Deploy more decoys on the isolated segment to keep monitoring the compromised endpoint.

Lateral movement based on Mimikatz / PTH

This scenario shows a human attacker trying to compromise an internal endpoint using lateral movements based on Mimikatz / PTH.

Attack vector scenario

An attacker uses a phishing email to compromise the internal user and get access to an internal endpoint.

The attacker looks for any powerful user in the compromised endpoint.

The attacker / APT uses an advanced tool like Mimikatz to run several attacks to extract clear text passwords from memory or Windows Credential Manager, AD Kerberos tickets, Windows local hash, and so on.

The Mimikatz tool's goal is to get administrator-level permission and run in-depth lateral movement across the network.

Attacker's toolkit:
  • Tools like Mimikatz, Meterpreter, password dump, and so on.
  • Leverage services like RDP, RPC, WMI, VNC, SSH, and WINRM for lateral movement.
Deception layer
  • Deploy Windows decoys and add them to the network Domain.

  • Add DNS A record using attractive hostnames for all domain decoys' IP addresses. Each decoy supports up to 24 IPs.

  • Use SMB deception lures that generate a fake network drive share on the endpoint that mapped front a file server decoy with fake files. The fake network drive configuration is hidden to prevent users from opening it and generating false alerts. Keep in mind that the SMB lure also inserts fake credentials to the Windows Credential Manager as well.

  • Use RDP deception lures that store saved usernames and passwords in the Windows Credential Manager that provides access to a Windows / Linux server decoy.

  • Use Cached credentials lures that inject saved usernames and passwords in the Windows memory to detect attacks using password dump like Mimikatz. Use a real domain user with IP restrictions.

Early breach detection

An attacker using fake credentials in the sRDP lure to engage with a decoy generates alerts.

An attacker engaging with a real asset using the fake username and password (in the cache credential lure) generate an alert on the SIEM solution. This requires a SIEM correlation rule.

Alert details

The FortiDeceptor console presents the alert as a kill chain flow and presents a profile of the attacker. The alert data includes:

  • Attacker username.
    • One of the most critical indicators that provide a quick answer regarding the attacker, attack stage, and phase.
    • A standard user means that the attacker / attack is in the early stage. Admin-level credentials means that the attacker / attack is in the privilege escalation phase or the attack was directed against high profile users from the IT department.
  • Compromised IP address.
    • This is a critical indicator that points directly to the compromised host. Early detection prevents more persistent points by the attacker.
  • Malicious binary.
    • For example, if the attacker engages with a decoy over RDP, the attacker will likely use malicious code to get more persistent and privilege access. So having malicious binary as a piece of evidence with the full binary analysis helps IOC look across the network for more compromised endpoints. You can use an IOC scanner or AV/EDR API to find the indicators across network endpoints and servers.
ECO system flow:
  • For SIEM:
    • Send alerts to your SIEM solution.
    • Create a correlation rule that creates an alert on using the fake username (cache credential lure.
  • Use your FortiGate Fabric integration to isolate the compromised endpoint from the network. FortiDeceptor offers more fabric connectors for isolation.
  • Deploy more decoys on the isolated segment to keep monitoring the compromised endpoint.