forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathlateral_movement.yml
More file actions
61 lines (61 loc) · 3.36 KB
/
lateral_movement.yml
File metadata and controls
61 lines (61 loc) · 3.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
category:
- Adversary Tactics
channel: ESCU
creation_date: '2016-09-13'
description: Detect and investigate tactics, techniques, and procedures around how
attackers move laterally within the enterprise. Because lateral movement can expose
the adversary to detection, it should be an important focus for security analysts.
detections:
- detection_id: 1297fb80-f42a-4b4a-9c8a-88c066237cf6
name: Schtasks scheduling job on remote system
type: splunk
- detection_id: f5939373-8054-40ad-8c64-cec478a22a4a
name: Remote Desktop Process Running On System
type: splunk
- detection_id: 272b8407-842d-4b3d-bead-a704584003d3
name: Remote Desktop Network Traffic
type: splunk
- detection_id: f5939373-8054-40ad-8c64-cec478a22a4b
name: Detect Activity Related to Pass the Hash Attacks
type: splunk
id: 399d65dc-1f08-499b-a259-aad9051f38ad
maintainers:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
modification_date: '2018-05-31'
name: Lateral Movement
narrative: "Once attackers gain a foothold within an enterprise, they will seek to\
\ expand their accesses and leverage techniques that facilitate lateral movement.\
\ Attackers will often spend quite a bit of time and effort moving laterally. Because\
\ lateral movement renders an attacker the most vulnerable to detection, it's an\
\ excellent focus for detection and investigation.\\\nIndications of lateral movement\
\ can include the abuse of system utilities (such as `psexec.exe`), unauthorized\
\ use of remote desktop services, `file/admin$` shares, WMI, PowerShell, pass-the-hash,\
\ or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting\
\ lateral movement techniques and look for suspicious activity in and around high-value\
\ strategic network assets, such as Active Directory, which are often considered\
\ the primary target or \"crown jewels\" to a persistent threat actor.\\\nAn adversary\
\ can use lateral movement for multiple purposes, including remote execution of\
\ tools, pivoting to additional systems, obtaining access to specific information\
\ or files, access to additional credentials, exfiltrating data, or delivering a\
\ secondary effect. Adversaries may use legitimate credentials alongside inherent\
\ network and operating-system functionality to remotely connect to other systems\
\ and remain under the radar of network defenders.\\\nIf there is evidence of lateral\
\ movement, it is imperative for analysts to collect evidence of the associated\
\ offending hosts. For example, an attacker might leverage host A to gain access\
\ to host B. From there, the attacker may try to move laterally to host C. In this\
\ example, the analyst should gather as much information as possible from all three\
\ hosts. \\\n It is also important to collect authentication logs for each host,\
\ to ensure that the offending accounts are well-documented. Analysts should account\
\ for all processes to ensure that the attackers did not install unauthorized software."
original_authors:
- company: Splunk
email: davidd@splunk.com
name: David Dorsey
references:
- https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis
- https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html
spec_version: 2
usecase: Advanced Threat Detection
version: '1.0'