Lateral movement automation
In a corporate network, lateral movement is a great way to escalate privileges and find necessary information.
But it is hindered when we face filtering between network segments. Sometimes, we have to open multiple embedded tunnels, which is hard to automate. In other words, lateral movement is rarely possible without pivoting.
Trying to solve this problem and move away from pivoting, an interesting solution was found – a recursive shell, i.e. a shell that can be opened from another shell.
In fact, it is a proxy based on DCOM and available through the MSRPC pile built into victim. As a result, we can forward ports exclusively through port 445/tcp.
This kind of lateral movement significantly hinders active countermeasures because it happens through a chain of MSRPC proxies and the real source of the attack is hard to identify.