How to Detect Lateral Movement Using Windows Event Logs
Lateral movement involves an attacker navigating through a network to access additional systems or resources. Detecting this activity requires monitoring specific events and correlating activity across multiple systems.
1. Monitor for Account Logon Activity
What to Look For:
Successful Logons:
Event ID 4624: Logs successful logon attempts. Focus on:
Logon Type 3 (Network Logon): Indicates remote access to resources.
Logon Type 10 (Remote Interactive): Often used for RDP sessions.
Patterns of Logon Activity:
Rapid or simultaneous logons across multiple systems using the same account.
Logons originating from unexpected systems or at unusual times.
Red Flags: Accounts accessing multiple machines within a short timeframe, particularly administrative accounts.
2. Analyze Event ID 4648 (Explicit Credential Use)
What to Look For:
Credential Usage:
Event ID 4648: Indicates explicit credentials were provided for a logon session.
Patterns:
The same credentials being used to log onto multiple systems.
Credentials being used by accounts or systems not typically associated with them.
Red Flags: Credentials reused across different machines or accounts showing suspicious access patterns.
3. Review Event ID 4688 (Process Creation)
What to Look For:
Execution of Lateral Movement Tools:
Tools like
PsExec.exe,wmic.exe,schtasks.exe, or custom scripts.
Command-Line Arguments:
Suspicious commands associated with remote execution or administrative actions.
Key Event ID:
Event ID 4688: Captures the creation of processes, including their paths and arguments.
Red Flags: Execution of remote execution tools from non-administrative accounts or unexpected systems.
4. Correlate with File Sharing and Access Logs
What to Look For:
Unusual Network Share Access:
Event ID 5140: Logs access to network shares. Look for:
Unexpected access to administrative shares like
C$orADMIN$.File transfer activity inconsistent with normal user behavior.
Red Flags: Frequent or large-scale access to shared directories from unknown systems or accounts.
5. Detect Unusual RDP Sessions
What to Look For:
RDP Session Activity:
Event ID 4778: Captures sessions reconnected to a Window Station.
Event ID 4779: Logs RDP session disconnections.
Patterns of RDP Usage:
Repeated RDP sessions initiated from unexpected hosts or accounts.
Concurrent RDP sessions from the same account across different systems.
Red Flags: Unusual RDP activity, particularly involving high-privilege accounts or external IPs.
6. Investigate Use of Kerberos Tickets
What to Look For:
Kerberos Ticket Requests:
Event ID 4769: Logs service ticket requests.
Event ID 4770: Logs ticket renewals.
Unusual Activity:
Repeated or unexpected Kerberos ticket requests.
Tickets being requested for services not typically accessed by the account.
Red Flags: A spike in Kerberos activity from a single host or account, potentially indicating Pass-the-Ticket attacks.
7. Immediate Response
What to Do:
Isolate Systems: Disconnect compromised systems from the network to contain the threat.
Reset Credentials: Reset passwords for all accounts involved in suspicious activity, particularly administrative accounts.
Review Logs: Analyze logs across all affected systems to determine the attacker’s path and methods.
Conduct a Thorough Investigation: Identify the entry point, scope of the attack, and any additional compromised systems or accounts.
Long-Term Measures:
Enhance Monitoring: Implement SIEM rules to detect lateral movement patterns proactively.
Segment Networks: Limit access to critical systems and resources using network segmentation.
Educate Staff: Train administrators to recognize signs of lateral movement and respond effectively.
Conclusion
Detecting lateral movement involves analyzing authentication activity, process creation, and network access patterns. By correlating Windows Event Logs across systems, security teams can identify and mitigate lateral movement before attackers gain access to critical resources.
Last updated