Microsoft Defender for Identity | Lateral Movement

Lateral movement is a security technique to gain access to sensitive accounts (privilege escalation) via different accounts and endpoints, to finally gain domain dominance (account with domain admins permissions).

Example:
1. User (non-sensitive account) receives an e-mail with malware (open e-mail and attachment)
2. User’s computer is compromised, and the hacker has access to the user’s computer (enumeration is performed to get information, computer, user, and group accounts)
3. Hacker gains access to the helpdesk computer (same local administrator password is used)
4. Helpdesk (sensitive account) credentials are stored in the cache (credential manager)
5. Hacker gains access to the management server (admin is logged on) via the helpdesk permissions
6. Hacker has gained domain admin permissions

Microsoft Defender for Identity

Microsoft Defender for Identity (previously called Azure ATP) is the Microsoft security solution for Active Directory (on-premises) anomaly detection. Anomaly detection requires a baseline, the learning period is 1–4 weeks depending on the detection type.

Lateral Movement Attack example

The LSASS (Local Security Authority Subsystem Service) process can be used to dump credentials via the Task Manager.

Microsoft Defender for Endpoint (previously called Microsoft Defender ATP) and Microsoft 365 Defender (previously called Microsoft Threat Protection) will detect the LSASS dump method but the file is still saved to disk.

MimiKatz can be used to read the .DMP file (remote) or to ‘steal’ cached or logged on credentials directly on a computer.

Lateral Movement Alert

The lateral movement alerts do not require a learning period. The lateral movement (MITRE ATT&K ID TA0008) alerts are based on the techniques used:

· Remote code execution over DNS
· Suspected identity theft (pass-the-hash) -> example above
· Suspected identity theft (pass-the-ticket)
· Suspected NTLM authentication tampering
· Suspected NTLM relay attack (Exchange account)
· Suspected overpass-the-hash attack (Kerberos)
· Suspected rogue Kerberos certificate usage
· Suspected SMB packet manipulation

Windows Defender Credential Guard can be used to protect against credential theft attack techniques.

Lateral Movement Paths

Microsoft Defender for Identity has a feature called Lateral Movement Paths (LMPs). LMPs are visual paths from non-sensitive accounts and/or computers to sensitive accounts (Bloodhound light). Sensitive accounts can be added via the Entity tags option (all accounts that are member of any type of admin groups are marked as sensitive).

The example above: the non-sensitive user is local administrator on the non-sensitive computer where the sensitive user credentials are stored, or the sensitive user is logged on. Each LMP is visible for 48 hours after discovery.

Preventive measures:
- Separation of duties (separate user and admin account)
- Least privilege (only permissions required for the function)
- The use of a Privileged Access Workstation (PAW)

Microsoft Cloud App Security

Microsoft Defender for CASB ;-) just kidding, Microsoft Cloud App Security (MCAS) is the Unified SecOps portal where all Microsoft 365 E5 Identity related alerts are

The ‘lateral movement path’ feature is also available in MCAS (Investigate -> Identity security posture -> Reduce lateral movement path risk to sensitive entities).

The sensitive account(s) are presented with the riskiest (read most available) lateral movement paths plus the remediation steps (e.g. Remove local administrator permissions for ‘non-sensitive user’ from ‘non-sensitive computer’).

I hope this blog gives a basic understanding of the different lateral movement mitigation (reactive alerts and pro-active LMPs) solutions in Active Directory attacks