How to Detect and Investigate Lateral Movement
Lateral movement occurs when attackers navigate through a network to gain access to additional systems or sensitive data. Detecting such activity requires monitoring specific logs for patterns and correlating network and endpoint events.
1. Monitor for Unusual SMB Traffic
What to Look For:
File Share Access Logs:
Event ID 5140: Logs access to network share objects.
Event ID 5145: Logs checks for access to network share objects.
Behavioral Patterns:
Unexpected SMB traffic between endpoints or to administrative shares (e.g.,
C$,ADMIN$).Multiple access attempts or large-scale data access operations.
Red Flags: Unusual or unauthorized SMB traffic between systems not typically interacting via SMB.
2. Review RDP Connection Logs
What to Look For:
RDP Logon Events:
Event ID 4624: Logs successful logons. Focus on:
Logon Type 10: Indicates Remote Desktop Protocol (RDP) sessions.
Unusual RDP Sessions:
RDP connections between machines that don’t normally communicate using RDP.
Sessions initiated by accounts not typically associated with administrative tasks.
Red Flags: RDP activity involving high-value accounts or systems not normally accessed.
3. Identify WMI and PSExec Activity
What to Look For:
Process Creation Logs:
Event ID 4688: Captures process creation events. Look for:
Execution of tools like
wmic.exeorpsexec.exe, commonly used for remote command execution.Commands that initiate remote interactions with other systems.
Associated Logs:
Review command-line arguments to identify suspicious activity, such as execution targeting other hosts.
Red Flags: Execution of remote administration tools by accounts or systems not typically using them.
4. Analyze Process Creation and Termination Events
What to Look For:
Unexpected Processes:
Event ID 4688: Tracks process creation. Focus on:
Unusual processes launched on multiple systems.
Known tools or scripts associated with lateral movement.
Process Exits:
Event ID 4689: Logs process termination. Correlate with process creation to understand behavior.
Behavioral Patterns:
Processes executing commands or initiating connections to other endpoints.
Red Flags:
Processes running from unexpected directories (e.g., %TEMP%, %APPDATA%) or executed by non-administrative accounts.
5. Cross-Reference with Network Logs
What to Do:
Correlate Logs:
Match endpoint logs with network traffic logs to detect:
Unusual or unauthorized connections between hosts.
Unexpected protocols or ports being used.
Behavioral Indicators:
High-frequency connections originating from a single compromised host.
Data transfers immediately following authentication events.
Red Flags: Internal connections inconsistent with typical business workflows or repeated failed authentication attempts.
6. Immediate Response
What to Do:
Isolate Affected Systems:
Disconnect compromised hosts from the network to prevent further spread.
Analyze Logs:
Review all related logs to map the attacker’s path and actions.
Identify compromised accounts, tools used, and potential persistence mechanisms.
Reset Credentials:
Reset passwords for accounts associated with lateral movement attempts.
Strengthen Network Controls:
Implement network segmentation to limit access between systems.
Harden access controls to restrict administrative privileges.
Post-Incident Actions:
Deploy Enhanced Monitoring:
Set up rules in SIEM tools to detect similar lateral movement patterns proactively.
Educate Administrators:
Train IT staff on recognizing signs of lateral movement and mitigating such threats.
Conduct a Root Cause Analysis:
Determine how the attacker gained initial access and address the entry point.
Conclusion
Detecting lateral movement requires correlating logs from multiple sources, including SMB, RDP, and process creation logs. Proactive monitoring, combined with robust response measures, minimizes the risk of attackers gaining further control over your network.
Last updated