QeeqBox

Indication of Pivot

Written by

Giga Alqeeq

in

Indication of Pivot (IoP)

An Indication of Pivot, also known as a Lateral Movement Indicator, refers to signs that an attacker is moving from one system to another within a network after gaining initial access. This indicates that the attacker is expanding their control by utilizing compromised accounts, remote administration tools, shared resources, or internal communication paths to access additional hosts, applications, or sensitive systems. Instead of remaining on the initially compromised machine, the attacker “pivots” deeper into the environment. This allows them to increase their privileges, locate valuable data, establish persistence, or prepare for a broader compromise.

Key Characteristics

  • Occurs After Initial Compromise: This phase happens once the attacker has gained access to at least one system within the network.
  • Indicates Exploration or Spreading: This suggests that the attacker is moving between systems in search of additional access points or valuable targets.
  • Critical Sign of Escalation Toward Full Environment Compromise: This shows that the attack is advancing toward broader control over the network.
  • Focuses on Internal Lateral Movement Activity: This highlights suspicious behavior as attackers navigate between hosts using stolen credentials or remote tools

Examples

  • Internal remote login attempts between hosts
    • Earth Lusca (APT)
    • powershell “Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list – property * | findstr “Address””
  • Authentication using stolen or new credentials
    • Stolen Legacy VPN Credentials
      • User/Password: test,IWQ1rv04VFiXSCFU (leaked passwords on the dark web)
      • VPN Server: legacy-vpn.exmaple.local
      • Login Time: 03:12 AM
      • Source IP: 1.2.3.4 (unrecognized ASN, could be free tire hosted on famous cloud service)
      • Device: Unknown
  • Access from a system that normally shouldn’t connect to another
    • Canary Token: database_settings.xlsx
    • database_settings.xlsx is accessed on 4/26/2025 by PC201823
  • Use of tools like PsExec, WMI, WinRM, etc.
    • wmic /node:SERVER01 process call create “powershell.exe Get-Process”
    • psexec.exe \\server01 cmd.exe
    • Enter-PSSession -ComputerName SERVER01
    • Invoke-Command -ComputerName SERVER01 -ScriptBlock { Get-Process }
  • Repeated authentication failures
    • HermeticWizard (a259e9b0acf375a8bef8dbc27a8a1996ee02a56889cba07ef58c49185ab033ec)
    • HermeticWizard Spreader (5a300f72e221a228e3a36a043bef878b570529a7abc15559513ea07ae280bb48)
    • rundll32 <spreader> #1 -s <HermeticWizard> – i <IP>
    • Multiple failed logins:
      • User: root
      • Source IP: 10.1.2.99
      • Attempts: 100+ in 1 minutes

More posts