Detecting lateral movement

E Double UE Double U Member Posts: 1,903 ■■■■■■■■■□
I'm hoping someone here can provide some tips on detecting lateral movement (specifically to domain controllers).

I want to build some Sourcefire and/or QRadar rules related to the following:

PS-Exec
WMI
DCOM
WinRM
RDP
Remote scheduled tasks
Remote registry

I've been browsing the web and haven't quite found what I am looking for so hoping some board members can recommend some good resources.

Thanks in advance!
Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, and more.

2021 goals: AZ-303, AZ-304, maybe TOGAF and more ISACA

"You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson

Comments

  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,311 Mod
    evidence of execution of those services via splunk or any SIEM you use? or you're looking for the actual rules?
    Certs: GPEN, GCFA, CISM, CRISC, RHCE
    In Progress: MBA
  • IristheangelIristheangel CCIEx2 (Sec + DC), CCNP RS, CCNA V/S/R/DC, CISSP, CEH, MCSE 2003, A+/L+/N+/S+, and a lot more from m Pasadena, CAMod Posts: 4,133 Mod
    I would also probably include some Netflow/sFlow/whatever probes in there as well to detect the actual network traffic that doesn't pass through the IPS if possible.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
  • [Deleted User][Deleted User] Posts: 0 ■■□□□□□□□□
    for PsExec based attacks, I think Microsoft released a patch for it. I think it was more towards PTH attacks but maybe it blocks PsExec also?

    https://www.microsoft.com/en-us/download/details.aspx?id=36036&751be11f-ede8-5a0c-058c-2ee190a24fa6=True&e6b34bbe-475b-1abd-2c51-b5034bcdd6d2=True

    Other then that, this is outside the scope of what I know. Best of luck!
  • E Double UE Double U Member Posts: 1,903 ■■■■■■■■■□
    Thanks for the responses!

    @ UnixGuy - I am looking for actual rules.
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, and more.

    2021 goals: AZ-303, AZ-304, maybe TOGAF and more ISACA

    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
  • si20si20 Member Posts: 536 ■■■■■□□□□□
    Good luck finding any rules... When I was a senior sec analyst, I was working with a couple of guys who were supposed to help me create lateral movement rules - turns out that half the team didn't know what lateral movement was, half the team didn't have any security certs, all of the team had never done any pen-testing and didn't know what an attack looked like... so they hired a 3rd party contractor to come in and write the rules. The guy wrote the rules, charged $$$$$ and then left, presumably laughing all the way to the bank.

    When we figured out there was no documentation, the manager sent the team on $5,000 SANS courses. Half the team failed. Those who passed left the company. You see where this is going: it never happened.

    So in the end, I implemented what you're talking about e.g scheduled tasks etc, looking for PS-Exec traces and ultimately, found absolutely nothing. Sorry to be the bearer of bad news, but the only people who legitimately can create rules like that, are contractors who go from company to company charging big bucks for it. And then you've got to ask yourself, even if you get the rules, are they actually going to detect anything? A ruleset is only as good as the traffic fed into it - and most places i've worked at were feeding junk, into junk rules and expecting to find 0-days.
  • E Double UE Double U Member Posts: 1,903 ■■■■■■■■■□
    Thanks si20!
    Alphabet soup from (ISC)2, ISACA, GIAC, EC-Council, Microsoft, ITIL, Cisco, Scrum, and more.

    2021 goals: AZ-303, AZ-304, maybe TOGAF and more ISACA

    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
Sign In or Register to comment.