From time to time, even if we are now in 2015, I find people that do not truly believe in cyber attacks having confused ideas on how cyber attackers do their job. So, even if what I am writing is wellknown for most of you, I want to briefly describe a romantic process behind current cyber attacks to public and/or private infrastructures (Not SCADA based).
The following image, borrowed from CERT-EU-SWP, shows a tipycal atack flow in 2014/2015. The attacker performs the designed initial attack phase (step 1) by compromising the victim’s machine (nowadays the most frequent “phase one” are implemented through: Exploiting, Spear-Phishing or Watering hole, etc..).
From: CERT-EU-SWP Protection from Kerberos Golden Ticket
Once the attacker has succesfuly compromised the victim’s machine (which often, but not always, means to have direct access to that machine) he/she needs to escalate local privileges (2) in order to proceed with horizontal propagation (phase 4). Several known techniques are available to escalate local privileges such as: Expoiting local vulnerabilityes, 0Days, Dumping SAM File, Hidden Passwords, Weak Permissions on Processes, DLL Preloading, Writing permission on Win32, Windows Services running as system, Window AT commands, etc…
Horizontal propagation is one of the most exiting phase for the attacker since he/she can explore, for the first time ever (assuming a complete black box attack), the victim network trying to tamper with horizontal attack tecniques the entire targeted network.
Note: some attackers prefer to penetrate neighbors machines through a generic exploiting process, other attackers prefer to use network tricks to compromise the attacked network comunication and some other attackers prefer to own network infrastructures (such as: router, smart switch, dns, dhcps, etcs) before end point machines.
Based on my personal experience the most expedient way to perform horizontal propagation is through the “pass-the-hash” technique (or “pass-the-tickets” in case of Kerberos) [here, here]. In order to reach the horizontal propagation (phase 4) the attacker needs to harvest hashes or Tickets (deending on targeted infrastructure). Harvesting hashes is a relative simple phase that could be reached by searching for logged in user accounts, looking for services (applications) hosting a password or to wait/force a remote user to log in. Thanks to the pass-the-hash technique attackers could assure persistent access to target network having a continuos and unlimited access to target enviroment. The described process is by far the most used attacking process implemented so far but is not the only one. No contermeasures will be discussed on this “blog post”, only the romantic cyber attack proces. :]