Try in Splunk Security Cloud

Description

Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • Last Updated: 2020-02-04
  • Author: David Dorsey, Splunk
  • ID: 399d65dc-1f08-499b-a259-aad9051f38ad

Narrative

Once attackers gain a foothold within an enterprise, they will seek to expand their accesses and leverage techniques that facilitate lateral movement. Attackers will often spend quite a bit of time and effort moving laterally. Because lateral movement renders an attacker the most vulnerable to detection, it’s an excellent focus for detection and investigation.
Indications of lateral movement can include the abuse of system utilities (such as psexec.exe), unauthorized use of remote desktop services, file/admin$ shares, WMI, PowerShell, pass-the-hash, or the abuse of scheduled tasks. Organizations must be extra vigilant in detecting lateral movement techniques and look for suspicious activity in and around high-value strategic network assets, such as Active Directory, which are often considered the primary target or “crown jewels” to a persistent threat actor.
An adversary can use lateral movement for multiple purposes, including remote execution of tools, pivoting to additional systems, obtaining access to specific information or files, access to additional credentials, exfiltrating data, or delivering a secondary effect. Adversaries may use legitimate credentials alongside inherent network and operating-system functionality to remotely connect to other systems and remain under the radar of network defenders.
If there is evidence of lateral movement, it is imperative for analysts to collect evidence of the associated offending hosts. For example, an attacker might leverage host A to gain access to host B. From there, the attacker may try to move laterally to host C. In this example, the analyst should gather as much information as possible from all three hosts.
It is also important to collect authentication logs for each host, to ensure that the offending accounts are well-documented. Analysts should account for all processes to ensure that the attackers did not install unauthorized software.

Detections

Name Technique Type
Detect Activity Related to Pass the Hash Attacks Use Alternate Authentication Material, Pass the Hash TTP
Detect Pass the Hash Use Alternate Authentication Material, Pass the Hash TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Kerberoasting spn request with RC4 encryption Kerberoasting, Steal or Forge Kerberos Tickets TTP
Potential Pass the Token or Hash Observed at the Destination Device Use Alternate Authentication Material, Pass the Hash TTP
Potential Pass the Token or Hash Observed by an Event Collecting Device Use Alternate Authentication Material, Pass the Hash TTP
Remote Desktop Network Traffic Remote Desktop Protocol, Remote Services Anomaly
Remote Desktop Process Running On System Remote Desktop Protocol, Remote Services Hunting
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP

Reference

source | version: 2