forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
active_directory_lateral_movement.yml
53 lines (49 loc) · 2.83 KB
/
active_directory_lateral_movement.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: Active Directory Lateral Movement
id: 399d65dc-1f08-499b-a259-aad9051f38ad
version: 3
date: '2021-12-09'
author: David Dorsey, Mauricio Velazco Splunk
description: Detect and investigate tactics, techniques, and procedures around how
attackers move laterally within an Active Directory environment. Since lateral movement
is often a necessary step in a breach, it is important for cyber defenders to deploy
detection coverage.
narrative: "Once attackers gain a foothold within an enterprise, they will seek to
expand their accesses and leverage techniques that facilitate lateral movement.
Attackers will often spend quite a bit of time and effort moving laterally. Because
lateral movement renders an attacker the most vulnerable to detection, it's an
excellent focus for detection and investigation.
Indications of lateral movement
in an Active Directory network can include the abuse of system utilities (such
as `psexec.exe`), unauthorized use of remote desktop services, `file/admin$` shares,
WMI, PowerShell, Service Control Manager, the DCOM protocol, WinRM or the abuse
of scheduled tasks. Organizations must be extra vigilant in detecting lateral
movement techniques and look for suspicious activity in and around high-value
strategic network assets, such as Active Directory, which are often considered
the primary target or \"crown jewels\" to a persistent threat actor.
An adversary
can use lateral movement for multiple purposes, including remote execution of
tools, pivoting to additional systems, obtaining access to specific information
or files, access to additional credentials, exfiltrating data, or delivering a
secondary effect. Adversaries may use legitimate credentials alongside inherent
network and operating-system functionality to remotely connect to other systems
and remain under the radar of network defenders.
If there is evidence of lateral
movement, it is imperative for analysts to collect evidence of the associated
offending hosts. For example, an attacker might leverage host A to gain access
to host B. From there, the attacker may try to move laterally to host C. In this
example, the analyst should gather as much information as possible from all three
hosts.
It is also important to collect authentication logs for each host,
to ensure that the offending accounts are well-documented. Analysts should account
for all processes to ensure that the attackers did not install unauthorized software."
references:
- https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html
- http://www.irongeek.com/i.php?page=videos/derbycon7/t405-hunting-lateral-movement-for-fun-and-profit-mauricio-velazco
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection