How to Spot the Signs of Lateral Movement

AL3Z · ‎02-21-2024

Hi,
Could anyone pls guide me how we can detect an attacker moving laterally in the environment can be a challenge right, How we can write the correlation search is there any prerequisites need to be followed.

Thanks in advance

VatsalJagani · ‎02-21-2024

@AL3Z - Search for "lateral" on this website - https://research.splunk.com/ (ES Content Update App) and you will find some common use-case along with details.

I hope this helps!!!

VatsalJagani · ‎02-21-2024

@AL3Z - Sample reference query

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| rename Processes.* as *
| eval firstTime = strftime(firstTime, "%F %T")
| eval lastTime = strftime(lastTime, "%F %T")

FYI, this is just one sample example to detect lateral movement in powershell. Lateral Movement is broad topic, so please refer to my original answer.

I hope this helps!!! Kindly upvote if it does!!!

How to Spot the Signs of Lateral Movement

correlation search

incident review

investigation

Threat Intelligence Management

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...