Analytics Story: Active Directory Lateral Movement

Date: 2021-12-09 ID: 399d65dc-1f08-499b-a259-aad9051f38ad Author: David Dorsey, Mauricio Velazco Splunk Product: Splunk Enterprise Security

Description

Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.

Why it matters

Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it's an excellent focus for detection and investigation. Indications of lateral movement in an Active Directory network can include the abuse of system utilities (such as psexec.exe), unauthorized use of remote desktop services, file/admin$ shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or "crown jewels" to a persistent threat actor. An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders. If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts. It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Active Directory Lateral Movement" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `active_directory_lateral_movement_identified_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Service Created Within Public Path Windows Service TTP
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Detect Renamed PSExec Service Execution Hunting
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Interactive Session on Remote Endpoint with PowerShell Windows Remote Management TTP
Mmc LOLBAS Execution Process Spawn Distributed Component Object Model, MMC TTP
Possible Lateral Movement PowerShell Spawn Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service TTP
PowerShell Invoke CIMMethod CIMSession Windows Management Instrumentation Anomaly
PowerShell Start or Stop Service PowerShell Anomaly
Randomly Generated Scheduled Task Name Scheduled Task Hunting
Randomly Generated Windows Service Name Windows Service Hunting
Remote Desktop Process Running On System Remote Desktop Protocol Hunting
Remote Process Instantiation via DCOM and PowerShell Distributed Component Object Model TTP
Remote Process Instantiation via DCOM and PowerShell Script Block Distributed Component Object Model TTP
Remote Process Instantiation via WinRM and PowerShell Windows Remote Management TTP
Remote Process Instantiation via WinRM and PowerShell Script Block Windows Remote Management TTP
Remote Process Instantiation via WinRM and Winrs Windows Remote Management TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Remote Process Instantiation via WMI and PowerShell Windows Management Instrumentation TTP
Remote Process Instantiation via WMI and PowerShell Script Block Windows Management Instrumentation TTP
Scheduled Task Creation on Remote Endpoint using At At TTP
Scheduled Task Initiation on Remote Endpoint Scheduled Task TTP
Schtasks scheduling job on remote system Scheduled Task TTP
Services LOLBAS Execution Process Spawn Windows Service TTP
Short Lived Scheduled Task Scheduled Task TTP
Short Lived Windows Accounts Local Accounts, Local Account TTP
Svchost LOLBAS Execution Process Spawn Scheduled Task TTP
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Unusual Number of Remote Endpoint Authentication Events Valid Accounts Hunting
Windows Administrative Shares Accessed On Multiple Hosts Network Share Discovery TTP
Windows Enable Win32 ScheduledJob via Registry Scheduled Task Anomaly
Windows Large Number of Computer Service Tickets Requested Network Share Discovery, Valid Accounts Anomaly
Windows Local Administrator Credential Stuffing Credential Stuffing TTP
Windows PowerShell Get CIMInstance Remote Computer PowerShell Anomaly
Windows PowerShell WMI Win32 ScheduledJob PowerShell TTP
Windows Rapid Authentication On Multiple Hosts Security Account Manager TTP
Windows RDP Connection Successful RDP Hijacking Hunting
Windows Remote Create Service Windows Service Anomaly
Windows Service Create with Tscon Windows Service, RDP Hijacking TTP
Windows Service Created with Suspicious Service Name Service Execution Anomaly
Windows Service Created with Suspicious Service Path Service Execution TTP
Windows Service Creation on Remote Endpoint Windows Service TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Service Initiation on Remote Endpoint Windows Service TTP
Windows Special Privileged Logon On Multiple Hosts Account Discovery, SMB/Windows Admin Shares, Network Share Discovery TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Wmiprsve LOLBAS Execution Process Spawn Windows Management Instrumentation TTP
Wsmprovhost LOLBAS Execution Process Spawn Windows Remote Management TTP
Remote Desktop Network Traffic Remote Desktop Protocol Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log RemoteConnectionManager 1149 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
Windows Event Log Security 4624 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4625 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4672 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4699 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4769 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5140 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 4720 Windows icon Windows xmlwineventlog XmlWinEventLog:System
Windows Event Log System 4726 Windows icon Windows xmlwineventlog XmlWinEventLog:System
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System
Zeek Conn N/A bro:conn:json bro:conn:json

References

Source: GitHub | Version: 3