Lateral Movement Detections

Name Data Source Technique Type Analytic Story Date
Okta Multiple Failed Requests to Access Applications Okta Web Session Cookie Cloud Service Dashboard Hunting Okta Account Takeover 2024-10-17
Splunk App for Lookup File Editing RCE via User XSLT Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk Code Injection via custom dashboard leading to RCE Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE PDFgen Render Splunk Exploitation of Remote Services TTP Splunk Vulnerabilities 2024-10-16
Splunk RCE Through Arbitrary File Write to Windows System Root Splunk Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via External Lookup Copybuckets Splunk Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Splunk Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Splunk RCE via User XSLT Exploitation of Remote Services Hunting Splunk Vulnerabilities 2024-10-17
Windows AD Suspicious Attribute Modification Use Alternate Authentication Material File and Directory Permissions Modification Windows File and Directory Permissions Modification TTP Sneaky Active Directory Persistence Tricks 2024-09-30
aws detect sts get session token abuse Use Alternate Authentication Material Hunting AWS Cross Account Activity 2024-10-17
Detect Activity Related to Pass the Hash Attacks Windows Event Log Security 4624 Use Alternate Authentication Material Pass the Hash Hunting Active Directory Lateral Movement, BlackSuit Ransomware 2024-10-17
Active Directory Lateral Movement Identified Exploitation of Remote Services Correlation Active Directory Lateral Movement 2024-09-30
Allow Inbound Traffic By Firewall Rule Registry Sysmon EventID 12, Sysmon EventID 13 Remote Desktop Protocol Remote Services TTP Azorult, NjRAT, PlugX, Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-11-14
Allow Inbound Traffic In Firewall Rule Powershell Script Block Logging 4104 Remote Desktop Protocol Remote Services TTP Prohibited Traffic Allowed or Protocol Mismatch 2024-09-30
Detect Computer Changed with Anonymous Account Windows Event Log Security 4624, Windows Event Log Security 4742 Exploitation of Remote Services Hunting Detect Zerologon Attack 2024-10-17
Detect PsExec With accepteula Flag CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares TTP Active Directory Lateral Movement, BlackByte Ransomware, CISA AA22-320A, DHS Report TA18-074A, DarkGate Malware, DarkSide Ransomware, HAFNIUM Group, IcedID, Rhysida Ransomware, SamSam Ransomware, Sandworm Tools, Volt Typhoon 2024-09-30
Detection of tools built by NirSoft CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Software Deployment Tools TTP Emotet Malware DHS Report TA18-201A 2024-10-17
Enable RDP In Other Port Number Sysmon EventID 12, Sysmon EventID 13 Remote Services TTP Prohibited Traffic Allowed or Protocol Mismatch, Windows Registry Abuse 2024-11-14
Executable File Written in Administrative SMB Share Windows Event Log Security 5145 Remote Services SMB/Windows Admin Shares TTP Active Directory Lateral Movement, BlackSuit Ransomware, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Hermetic Wiper, IcedID, Industroyer2, Prestige Ransomware, Trickbot 2024-11-28
Impacket Lateral Movement Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Impacket Lateral Movement smbexec CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Impacket Lateral Movement WMIExec Commandline Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services SMB/Windows Admin Shares Distributed Component Object Model Windows Management Instrumentation Windows Service TTP Active Directory Lateral Movement, CISA AA22-277A, Compromised Windows Host, Data Destruction, Gozi Malware, Graceful Wipe Out Attack, Industroyer2, Prestige Ransomware, Volt Typhoon, WhisperGate 2024-11-28
Interactive Session on Remote Endpoint with PowerShell Powershell Script Block Logging 4104 Remote Services Windows Remote Management TTP Active Directory Lateral Movement 2024-09-30
Kerberos TGT Request Using RC4 Encryption Windows Event Log Security 4768 Use Alternate Authentication Material TTP Active Directory Kerberos Attacks 2024-09-30
Linux SSH Remote Services Script Execute Sysmon for Linux EventID 1 SSH TTP Linux Living Off The Land 2024-09-30
Mimikatz PassTheTicket CommandLine Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Use Alternate Authentication Material Pass the Ticket TTP Active Directory Kerberos Attacks, CISA AA22-320A, CISA AA23-347A, Sandworm Tools 2024-09-30
Mmc LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model MMC TTP Active Directory Lateral Movement, Living Off The Land 2024-09-30
Possible Lateral Movement PowerShell Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model Windows Remote Management Windows Management Instrumentation Scheduled Task Windows Service PowerShell MMC TTP Active Directory Lateral Movement, CISA AA24-241A, Data Destruction, Hermetic Wiper, Malicious PowerShell, Scheduled Tasks 2024-10-17
Powershell Remote Services Add TrustedHost Powershell Script Block Logging 4104 Windows Remote Management Remote Services TTP DarkGate Malware 2024-09-30
Remote Desktop Process Running On System CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Desktop Protocol Remote Services Hunting Active Directory Lateral Movement, Hidden Cobra Malware 2024-10-17
Remote Process Instantiation via DCOM and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Distributed Component Object Model TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Remote Process Instantiation via DCOM and PowerShell Script Block Powershell Script Block Logging 4104 Remote Services Distributed Component Object Model TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WinRM and PowerShell CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Windows Remote Management TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WinRM and PowerShell Script Block Powershell Script Block Logging 4104 Remote Services Windows Remote Management TTP Active Directory Lateral Movement 2024-09-30
Remote Process Instantiation via WinRM and Winrs CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Windows Remote Management TTP Active Directory Lateral Movement 2024-09-30
Rubeus Command Line Parameters CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Use Alternate Authentication Material Pass the Ticket Steal or Forge Kerberos Tickets Kerberoasting AS-REP Roasting TTP Active Directory Kerberos Attacks, Active Directory Privilege Escalation, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Rubeus Kerberos Ticket Exports Through Winlogon Access Sysmon EventID 10 Use Alternate Authentication Material Pass the Ticket TTP Active Directory Kerberos Attacks, BlackSuit Ransomware, CISA AA23-347A 2024-09-30
Unknown Process Using The Kerberos Protocol Sysmon EventID 1, Sysmon EventID 3 Use Alternate Authentication Material TTP Active Directory Kerberos Attacks, BlackSuit Ransomware 2024-09-30
Windows Lateral Tool Transfer RemCom CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Lateral Tool Transfer TTP Active Directory Discovery 2024-09-30
Windows Protocol Tunneling with Plink CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Protocol Tunneling SSH TTP CISA AA22-257A 2024-09-30
Windows RDP Connection Successful Windows Event Log RemoteConnectionManager 1149 RDP Hijacking Hunting Active Directory Lateral Movement, BlackByte Ransomware 2024-10-17
Windows RDP File Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Spearphishing Attachment Remote Desktop Protocol TTP Spearphishing Attachments 2024-11-21
Windows Remote Service Rdpwinst Tool Execution CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Desktop Protocol Remote Services TTP Azorult, Compromised Windows Host 2024-11-28
Windows Remote Services Allow Rdp In Firewall CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Desktop Protocol Remote Services Anomaly Azorult 2024-09-30
Windows Remote Services Allow Remote Assistance Sysmon EventID 12, Sysmon EventID 13 Remote Desktop Protocol Remote Services Anomaly Azorult 2024-09-30
Windows Remote Services Rdp Enable Sysmon EventID 12, Sysmon EventID 13 Remote Desktop Protocol Remote Services TTP Azorult, BlackSuit Ransomware 2024-09-30
Windows Replication Through Removable Media Sysmon EventID 11 Replication Through Removable Media TTP Chaos Ransomware, NjRAT, PlugX 2024-09-30
Windows Service Create with Tscon CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 RDP Hijacking Remote Service Session Hijacking Windows Service TTP Active Directory Lateral Movement, Compromised Windows Host 2024-11-28
Windows Special Privileged Logon On Multiple Hosts Windows Event Log Security 4672 Account Discovery SMB/Windows Admin Shares Network Share Discovery TTP Active Directory Lateral Movement, Active Directory Privilege Escalation, Compromised Windows Host 2024-11-28
Windows Steal Authentication Certificates - ESC1 Authentication Windows Event Log Security 4768, Windows Event Log Security 4887 Steal or Forge Authentication Certificates Use Alternate Authentication Material TTP Compromised Windows Host, Windows Certificate Services 2024-11-28
Wsmprovhost LOLBAS Execution Process Spawn CrowdStrike ProcessRollup2, Sysmon EventID 1, Windows Event Log Security 4688 Remote Services Windows Remote Management TTP Active Directory Lateral Movement, CISA AA24-241A 2024-09-30
Remote Desktop Network Bruteforce Remote Desktop Protocol Remote Services TTP Ryuk Ransomware, SamSam Ransomware 2024-10-16
Remote Desktop Network Traffic Remote Desktop Protocol Remote Services Anomaly Active Directory Lateral Movement, Hidden Cobra Malware, Ryuk Ransomware, SamSam Ransomware 2024-10-16
SMB Traffic Spike SMB/Windows Admin Shares Remote Services Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
SMB Traffic Spike - MLTK SMB/Windows Admin Shares Remote Services Anomaly DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware, Ransomware 2024-10-17
VMWare Aria Operations Exploit Attempt Palo Alto Network Threat External Remote Services Exploit Public-Facing Application Exploitation of Remote Services Exploitation for Privilege Escalation TTP VMware Aria Operations vRealize CVE-2023-20887 2024-09-30