How to Spot the Signs of Lateral Movement

AL3Z · ‎02-21-2024

Hi,
Could anyone pls guide me how we can detect an attacker moving laterally in the environment can be a challenge right, How we can write the correlation search is there any prerequisites need to be followed.

Thanks in advance

VatsalJagani · ‎02-21-2024

@AL3Z - Search for "lateral" on this website - https://research.splunk.com/ (ES Content Update App) and you will find some common use-case along with details.

I hope this helps!!!

VatsalJagani · ‎02-21-2024

@AL3Z - Sample reference query

| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| rename Processes.* as *
| eval firstTime = strftime(firstTime, "%F %T")
| eval lastTime = strftime(lastTime, "%F %T")

FYI, this is just one sample example to detect lateral movement in powershell. Lateral Movement is broad topic, so please refer to my original answer.

I hope this helps!!! Kindly upvote if it does!!!

How to Spot the Signs of Lateral Movement

correlation search

incident review

investigation

Threat Intelligence Management

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?