Thursday, August 11, 2016

Detecting Lateral Movements

I came across this useful blog on Hunting Lateral Movement and Windows Incident Response below is a summary of key points from the article and also a good hunt techniques  as part of Content creation for SIEM.

During the lateral movements, there will more often contain the following indicators

Process Execution

Windows (event code 4688/592),
Net.exe, ipconfig.exe, whoami.exe, nbtstat.exe…
PSExec and other similar services (I've seen rcmd and xcmd used) can be used to execute processes on remote services.
schtasks.exe and at.exe.  Both tools utilize switches for creating scheduled tasks on remote systems
Cluster x number of processes executing within a 10 minute time frame.
Are there legitimate file names in odd directory paths?
Are there file name misspellings of legitimate executables?
Does the owner of the process seem correct?
What is the role of the server that the process is executing on?
Does the process name just look weird for some reason? (don’t discount hunches)

Tool Movement

Access to admin shares ADMIN$, IPC$, C$
OpenVNC, TightVNC, RealVNC, etc.
Shares mapped via the Map Network Drive wizard
File writes to the shares
Windows event code - 5145
Number and names of files copied from same source.
User that copied the files and past history.


malicious logon activity by focusing on windows event id’s 4624 type 3, 4625 type 3 and 4648
Same source to multiple destinations
Short session times for successful authentication
Failed authentication from same source to multiple destinations with multiple legitimate administrative accounts

Continue reading …