Control & Movement

Control & Movement is used to collect information about the network (TA0007) to reach the goal of the assessment while moving around (TA0008) in the network.

Actions during this phase include reconnaissance on the target (TA0007) for security controls (TA0005) like listing running processes or reviewing installed software. If additional security software is identified that was not found in the Reconnaissance phase, then we adjust our toolkit and TTPs to circumvent those. This phase is also one of the most dynamic ones as we learn a lot about the network, components and user/admin behavior in the network. We constantly need to adjust our behavior to become part of the usual flow and not raise any anomalies. For example, if we identify that PowerShell is used in the network, then we adjust our toolkit and payloads to use PowerShell as an executor.

One of the steps on the device is collecting files from the local device or network services like SharePoint and reviewing them on the system itself (TA0009). We also collect general information about the Active Directory like Domain Trust and User/Group access rights to identify overly permissive access. This phase of the attack may take some time depending on the size of the network and information we need to review to further plan our attack. Our insights into Attack Simulations have shown that it is often better to listen for a while.

Additionally, we perform privilege escalation on compromised devices. For example by modifying the execution flow of programs (TA00004). It is often required to move via multiple targets throughout the network. This can for example be archived by privilege escalation within the domain using compromised credentials from a password manager (TA0006). It also not unusual to perform internal phishing campaigns from compromised accounts and hijack existing internal email threads.