Try in Splunk Security Cloud
Description
Detect and investigate tactics, techniques, and procedures around how attackers move laterally within an Active Directory environment. Since lateral movement is often a necessary step in a breach, it is important for cyber defenders to deploy detection coverage.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Network_Traffic, Risk
- Last Updated: 2021-12-09
- Author: David Dorsey, Mauricio Velazco Splunk
- ID: 399d65dc-1f08-499b-a259-aad9051f38ad
Narrative
Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it’s an excellent focus for detection and investigation.
Indications of lateral movement in an Active Directory network can include the abuse of system utilities (such as psexec.exe), unauthorized use of remote desktop services, file/admin$ shares, WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or “crown jewels” to a persistent threat actor.
An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.
If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts.
It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.
Detections
| Name |
Technique |
Type |
| Active Directory Lateral Movement Identified |
Exploitation of Remote Services |
Correlation |
| Detect Activity Related to Pass the Hash Attacks |
Use Alternate Authentication Material, Pass the Hash |
Hunting |
| Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Detect Renamed PSExec |
System Services, Service Execution |
Hunting |
| Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Interactive Session on Remote Endpoint with PowerShell |
Remote Services, Windows Remote Management |
TTP |
| Mmc LOLBAS Execution Process Spawn |
Remote Services, Distributed Component Object Model, MMC |
TTP |
| Possible Lateral Movement PowerShell Spawn |
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC |
TTP |
| PowerShell Invoke CIMMethod CIMSession |
Windows Management Instrumentation |
Anomaly |
| PowerShell Start or Stop Service |
PowerShell |
Anomaly |
| Randomly Generated Scheduled Task Name |
Scheduled Task/Job, Scheduled Task |
Hunting |
| Randomly Generated Windows Service Name |
Create or Modify System Process, Windows Service |
Hunting |
| Remote Desktop Network Traffic |
Remote Desktop Protocol, Remote Services |
Anomaly |
| Remote Desktop Process Running On System |
Remote Desktop Protocol, Remote Services |
Hunting |
| Remote Process Instantiation via DCOM and PowerShell |
Remote Services, Distributed Component Object Model |
TTP |
| Remote Process Instantiation via DCOM and PowerShell Script Block |
Remote Services, Distributed Component Object Model |
TTP |
| Remote Process Instantiation via WMI |
Windows Management Instrumentation |
TTP |
| Remote Process Instantiation via WMI and PowerShell |
Windows Management Instrumentation |
TTP |
| Remote Process Instantiation via WMI and PowerShell Script Block |
Windows Management Instrumentation |
TTP |
| Remote Process Instantiation via WinRM and PowerShell |
Remote Services, Windows Remote Management |
TTP |
| Remote Process Instantiation via WinRM and PowerShell Script Block |
Remote Services, Windows Remote Management |
TTP |
| Remote Process Instantiation via WinRM and Winrs |
Remote Services, Windows Remote Management |
TTP |
| Scheduled Task Creation on Remote Endpoint using At |
Scheduled Task/Job, At |
TTP |
| Scheduled Task Initiation on Remote Endpoint |
Scheduled Task/Job, Scheduled Task |
TTP |
| Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
| Services LOLBAS Execution Process Spawn |
Create or Modify System Process, Windows Service |
TTP |
| Short Lived Scheduled Task |
Scheduled Task |
TTP |
| Svchost LOLBAS Execution Process Spawn |
Scheduled Task/Job, Scheduled Task |
TTP |
| Unusual Number of Computer Service Tickets Requested |
Valid Accounts |
Hunting |
| Unusual Number of Remote Endpoint Authentication Events |
Valid Accounts |
Hunting |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
| Windows Administrative Shares Accessed On Multiple Hosts |
Network Share Discovery |
TTP |
| Windows Enable Win32 ScheduledJob via Registry |
Scheduled Task |
Anomaly |
| Windows Large Number of Computer Service Tickets Requested |
Network Share Discovery, Valid Accounts |
Anomaly |
| Windows Local Administrator Credential Stuffing |
Brute Force, Credential Stuffing |
TTP |
| Windows PowerShell Get CIMInstance Remote Computer |
PowerShell |
Anomaly |
| Windows PowerShell WMI Win32 ScheduledJob |
PowerShell, Command and Scripting Interpreter |
TTP |
| Windows RDP Connection Successful |
RDP Hijacking |
Hunting |
| Windows Rapid Authentication On Multiple Hosts |
Security Account Manager |
TTP |
| Windows Remote Create Service |
Create or Modify System Process, Windows Service |
Anomaly |
| Windows Service Create with Tscon |
RDP Hijacking, Remote Service Session Hijacking, Windows Service |
TTP |
| Windows Service Created Within Public Path |
Create or Modify System Process, Windows Service |
TTP |
| Windows Service Created with Suspicious Service Path |
System Services, Service Execution |
TTP |
| Windows Service Creation Using Registry Entry |
Services Registry Permissions Weakness |
TTP |
| Windows Service Creation on Remote Endpoint |
Create or Modify System Process, Windows Service |
TTP |
| Windows Service Initiation on Remote Endpoint |
Create or Modify System Process, Windows Service |
TTP |
| Windows Special Privileged Logon On Multiple Hosts |
Account Discovery, SMB/Windows Admin Shares, Network Share Discovery |
TTP |
| Wmiprsve LOLBAS Execution Process Spawn |
Windows Management Instrumentation |
TTP |
| Wsmprovhost LOLBAS Execution Process Spawn |
Remote Services, Windows Remote Management |
TTP |
Reference
source | version: 3