Skip to content

Services, Wiki-Artikel, Blog-Beiträge und Glossar-Einträge durchsuchen

↑↓NavigierenEnterÖffnenESCSchließen
Angriffstechniken Glossary

Lateral Movement - Wie Angreifer sich im Netz ausbreiten

Lateral movement describes an attacker’s propagation after gaining initial access: pass-the-hash, pass-the-ticket, kerberoasting, overpass-the-hash, golden/silver ticket, DCSync. MITRE ATT&CK: TA0008. Tools: BloodHound (path analysis), Impacket, CrackMapExec, Cobalt Strike. Countermeasures: Network segmentation, Credential Guard, Protected Users Group, LAPS, tiered model, Privileged Access Management (PAM).

Lateral Movement is the most critical stage of an attack following initial access: this is where it is determined whether a compromised laptop will lead to the total loss of the Active Directory.

Credential-based techniques

Pass-the-Hash (PtH)

The attacker steals the user’s NTLM hash (from memory via Mimikatz) and uses it directly for authentication—no password required. Works for all NTLM authentications (SMB, WinRM, etc.).

# Mimikatz: Steal hash (on compromised system):
privilege::debug
sekurlsa::logonpasswords

# CrackMapExec: PtH lateral movement:
cme smb 192.168.1.0/24 -u Administrator -H NTLM_HASH_HERE
# → Which machines are accessible with this hash?

Countermeasures:

  • Credential Guard (Windows 10/11): LSASS protection, prevents extraction
  • Protected Users Group: NTLM disabled for these users
  • Network segmentation: Block SMB between workstations

Pass-the-Ticket (PtT)

Kerberos tickets (TGT or service ticket) are extracted from memory and used for authentication on other systems. Advantage: neither password knowledge nor hash extraction is required.

# Mimikatz: Steal and import a ticket:
sekurlsa::tickets /export
kerberos::ptt Ticket_File.kirbi

Countermeasures:

  • Protected Users Group: no Kerberos delegation
  • Shorter ticket lifetime (default: 10-hour TGT)

Kerberoasting

Service accounts with SPN (Service Principal Name) are vulnerable. Any normal user can request a service ticket for any SPN. The service ticket is encrypted with the service account password hash and can be cracked offline.

# Impacket: Request service tickets
GetUserSPNs.py domain.local/user:password -dc-ip 192.168.1.10 -request

# Hashcat: Offline cracking
hashcat -m 13100 -a 0 hashes.txt wordlists/rockyou.txt

Countermeasures:

  • Managed Service Accounts (gMSA/MSA): Automatically rotated passwords
  • Strong passwords for service accounts (25+ characters)
  • Enforce AES encryption (disable RC4)
  • Regular LDAP queries of all SPNs to identify weak passwords

AS-REP Roasting

Accounts with "Do not require Kerberos preauthentication" are vulnerable. A hash can be obtained without a valid account and without authentication.

# Impacket: AS-REP Roasting
GetNPUsers.py domain.local/ -dc-ip 192.168.1.10 -no-pass -usersfile users.txt

Countermeasures:

  • NEVER disable preauthentication (unless required by legacy systems)
  • PowerShell: Identify all vulnerable accounts:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties *

Token and Ticket Manipulation

Overpass-the-Hash

Combination of PtH and PtT: an NTLM hash is converted into a Kerberos TGT, resulting in full Kerberos authentication using stolen credentials.

# Mimikatz:
sekurlsa::pth /user:Administrator /domain:domain.local \
  /ntlm:HASH /run:powershell.exe

Golden Ticket (most dangerous attack)

The KRBTGT account hash is extracted (possible only from the domain controller). With the KRBTGT hash, any tickets can be created for any user—all Kerberos tickets are thus valid, which means complete domain control. Standard ticket validity: 10 years.

# Prerequisite: KRBTGT hash (only after DC compromise!)
# Mimikatz: Create Golden Ticket:
kerberos::golden /user:Administrator /domain:domain.local \
  /sid:S-1-5-21-... /krbtgt:KRBTGT_HASH /endin:99999

Countermeasures:

  • Rotate the KRBTGT password twice (interval: max. ticket lifetime)
  • Detect unusual ticket lifetimes in the SIEM
  • No access to the DC from normal workstations
  • Privileged Access Workstations (PAW) for DC administration

Silver Ticket

Uses the service account hash (easier to obtain than KRBTGT). Enables service tickets for a specific service without DC communication.

Countermeasures:

  • Enable PAC validation (prevents offline silver tickets)
  • Use gMSA instead of normal service accounts

DCSync (Stealing Domain Secrets)

Simulates a domain controller replication request. No access to the DC file system required—extracts all domain password hashes, including KRBTGT.

# Impacket: DCSync
secretsdump.py domain.local/DomainAdmin:password@dc.domain.local

# Prerequisite: Replication permission (DCSync permission)
# Who has it? Domain Admins, Enterprise Admins – often too many!

Countermeasures:

  • Grant DCSync permission only to genuine DCs (AD Audit!)
  • Monitoring: Who is sending replication requests? (Event 4662)

BloodHound Attack Path Analysis

BloodHound is an open-source tool for visualizing AD attack paths. It collects data via SharpHound (C#) or BloodHound.py and visualizes it in a Neo4j graph database. The tool finds the shortest path from any user to Domain Admin.

# Data collection (as a regular user!):
SharpHound.exe --CollectionMethods All --Domain domain.local

# BloodHound.py (from Linux):
bloodhound-python -u user -p password -ns 192.168.1.10 -d domain.local

Important BloodHound Queries

“Shortest Path to Domain Admin”

  • Finds: how many steps to Domain Admin?
  • Typically: 3–5 steps are enough (alarmingly few!)

“Find Kerberoastable Users”

  • All SPNs + privilege check
  • Kerberoastable DA rights = immediate P0 finding

“Find Computers where DA logged on”

  • On which workstations are Domain Admin tokens present?
  • These workstations are high-risk attack targets

“Principals with DCSync Rights”

  • Who can run DCSync?
  • Should only be SYSTEM and specific AD replication accounts

Defensive BloodHound Deployment

Conduct your own annual AD analysis to eliminate attack paths before attackers find them. Specific measures: Remove delegation, restrict permissions.

Network-based lateral movement

SMB-based lateral movement

PsExec (or PsExec clones): Remote code execution via admin share (\\server\ADMIN$). Requires admin credentials or pass-the-hash.

cme smb 192.168.1.50 -u Admin -p Password -x "whoami"

WMI (Windows Management Instrumentation): Remote command execution via DCOM. Harder to detect than PsExec, as no tool upload is required.

Invoke-WmiMethod -Class Win32_Process -Name Create \
  -ArgumentList "cmd.exe /c whoami" -ComputerName server01

WinRM (Windows Remote Management): PowerShell Remoting. Detection: Event 4688 (new process).

Enter-PSSession -ComputerName server01 -Credential $cred

DCOM-based Lateral Movement

  • Component Object Model: Remote execution via COM objects
  • Evasion: no new service, no tool upload
  • Examples: ShellWindows, ShellBrowserWindow, MMC20.Application

RDP Hijacking

  • Take over active RDP sessions of other users
  • Requires SYSTEM privileges on the target
  • No credentials required (session level)

Countermeasures:

  • RDP only via jump server / bastion host
  • Enforce NLA (Network Level Authentication)
  • Session timeouts (15 minutes of inactivity)

Detection of Lateral Movement in SIEM

The most important alert indicators:

  • Event 4624 Logon Type 3 (Network) on workstation servers
  • Event 4648 (Explicit Credentials: someone is using another user’s credentials)
  • Event 4769 (Service Ticket Request for rare SPNs = Kerberoasting)
  • SMB connections between workstations (Target value: 0!)
  • RDP connections to DC from non-PAW machines
  • Abnormal use of admin tools (psexec, wmic, net use)

AWARE7 Services on This Topic

Penetrationstest ISO 27001 Beratung
Back to Glossary Book a free consultation