How to Detect and Analyze Lateral Movement Using Windows Event Logs
Lateral movement refers to an attacker’s ability to navigate through a network after gaining initial access. Detecting this activity requires monitoring for specific behaviors and correlating event logs across systems.
1. Identify Unusual Logon Events
What to Look For:
Logon Events: Monitor for:
Event ID 4624: Indicates successful logons.
Event ID 4648: Logs explicit credential use to access remote systems.
Patterns:
Multiple successful logons to different machines in quick succession using the same credentials.
Unexpected logon types (e.g., Type 3 – Network Logon or Type 10 – Remote Interactive).
Analysis Tip: Focus on accounts logging into machines they do not typically access or at unusual times.
2. Examine RDP Connections
What to Look For:
RDP Connection Attempts: Review Event ID 1149 in the TerminalServices-RemoteConnectionManager log to detect remote desktop protocol (RDP) sessions.
Patterns:
Multiple RDP sessions initiated by the same user across different systems.
RDP connections from unapproved or foreign IP addresses.
Red Flags: Concurrent RDP sessions by the same account or RDP activity outside normal administrative hours.
3. Check for Pass-the-Hash and Pass-the-Ticket Attacks
What to Look For:
Pass-the-Hash Indicators:
Event ID 4776: Captures NTLM authentication requests. Look for authentication from unexpected machines.
Pass-the-Ticket Indicators:
Event ID 4769: Tracks Kerberos service ticket requests. Focus on requests originating from unusual or compromised accounts.
Red Flags: Authentication requests from endpoints where the user does not typically log in or requests for services not normally accessed by the user.
4. Look for Suspicious Use of Administrative Tools
What to Look For:
Tools Commonly Abused for Lateral Movement: Monitor Event ID 4688 (process creation) for the execution of:
PsExecwmic.exenet.exeCustom PowerShell scripts.
Execution Patterns: Administrative tools being executed from non-administrative accounts or unexpected systems.
Red Flags: Processes launched with arguments indicating remote command execution or unusual administrative tasks.
5. Correlate with Network Traffic
What to Do:
Analyze Network Logs: Correlate event logs with network traffic to identify unauthorized connections using:
SMB (Server Message Block).
RDP (Remote Desktop Protocol).
RPC (Remote Procedure Call).
Unusual Connections: Look for systems communicating with each other outside normal workflows or at unexpected times.
Benefit: Combining event logs with network traffic provides a more complete picture of potential lateral movement.
6. Detect Unauthorized Privilege Escalation
What to Look For:
Privilege Escalation Indicators:
Event ID 4672: Logs assignment of special privileges to new logons.
Event ID 4697: Tracks the installation of new services, often used for persistence or privilege escalation.
Suspicious Patterns: Privileges being assigned to accounts or processes that do not typically require them.
Red Flags: Unexpected privilege escalations followed by increased access to sensitive systems.
7. Containment and Investigation
Immediate Steps:
Isolate Systems: Disconnect compromised systems from the network to prevent further spread.
Credential Rotation: Reset credentials for all accounts involved in lateral movement to block attacker access.
Map the Attack Path: Use collected logs to trace the attacker’s movement and identify all affected systems.
Post-Incident Actions:
Conduct Forensic Analysis: Determine how the attacker moved laterally and identify any persistence mechanisms.
Enhance Monitoring: Deploy or refine detection rules in SIEM systems to flag similar activity in the future.
Harden Systems: Limit access to administrative tools and enforce least-privilege principles.
Conclusion
Detecting lateral movement requires monitoring for unusual logon patterns, abnormal tool usage, and unauthorized network connections. By analyzing Windows Event Logs and correlating data across systems, security teams can identify and respond to lateral movement before it results in further compromise.
Last updated