One of the most common tactics used by an attacker once they have infiltrated a network is to start moving laterally. They hop from machine to machine in an attempt to traverse the network searching for specific assets, or infecting and gaining persistence over multiple hosts. These lateral movement attempts will also often involve credentials scraping techniques to attempt and steal admin passwords, or pass the ticket techniques to hop from machine to machine.
Lateral movement can be attributed to two main causes – a live attacker traversing a network, or malicious code with automatic spreading abilities (worm-like). The techniques used to perform lateral movements vary: utilizing exploits (for example – EternalBlue SMB exploit), to using remote desktop protocols, utilizing admin tools like powershell and wmi, and executing code on a remote machine.
Given the vast majority of theses techniques do not utilize files or payloads (fileless) – most traditional security controls have a hard time identifying the attacker or piece of code moving around a network. The stealthy nature of these attacks makes them highly efficient and lucrative for the attacker, and can result in mass infections.
How SentinelOne Stops Lateral Movement
SentinelOne’s Lateral Movement Detection engine utilizes the platform’s low level monitoring to gain visibility into all machine operations, including the above script language and protocols. Then by building execution context in real time and applying Behavior AI to identify the anomalies of these various techniques used to move around in the network, it is able to detect and mitigate lateral movement attacks in real time, preventing the spread of malware, or the “roaming around” attacker.
The type of detection and visibility offered by the Lateral Movement Detection is far superior to every EDR tool out there and is integrated holistically for automated operation in our 2.0 platform – no configuration needed.
Watch the video below to see the SentinelOne Lateral Movement Engine in action. An infected machine will attempt to infect additional machines via the network by utilizing ps.exe in order to make that infection happen. We will first show how a machine with the SentinelOne agent installed would detect and block this type of lateral movement attack from an infected machine. We will then take a look at some of the information that SentinelOne provides from the attack such as information about the identified threat and the infected machine, the actual engine that blocked the attack, and our attack storyline that shows the visual forensics of the attack.
Real life – Real time
Last month, the S1 Platform was deployed alongside an existing EDR tool on a prospect network, and within minutes of deployment an attacker was identified moving laterally in the network. Read the full incidence report to learn more about a real live case – from deployment to full mitigation.