+ Reply to Thread
Results 1 to 4 of 4
  1. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,145

    Certifications
    CISSP, CISM, GCIA, GCIH, C|EH, and more.
    #1

    Default Detecting lateral movement

    I'm hoping someone here can provide some tips on detecting lateral movement (specifically to domain controllers).

    I want to build some Sourcefire and/or QRadar rules related to the following:

    PS-Exec
    WMI
    DCOM
    WinRM
    RDP
    Remote scheduled tasks
    Remote registry

    I've been browsing the web and haven't quite found what I am looking for so hoping some board members can recommend some good resources.

    Thanks in advance!
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

  2. SS -->
  3. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,327

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #2
    evidence of execution of those services via splunk or any SIEM you use? or you're looking for the actual rules?
    Goal: GCFA (DONE), GPEN
    Reply With Quote Quote  

  4. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,668

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #3
    I would also probably include some Netflow/sFlow/whatever probes in there as well to detect the actual network traffic that doesn't pass through the IPS if possible.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  5. Senior Member kMastaFlash's Avatar
    Join Date
    Aug 2012
    Posts
    875

    Certifications
    A+, Network+,Security+, EMCISA v2, MCP, MTAx2 , MCPS, CCENT, CCNA R&S,C|EH,C|HFI,MCTS, Linux+,LPIC-1,E|CSS,E|CES,GPEN,OSWP,Server+,LPT,GCIH
    #4
    for PsExec based attacks, I think Microsoft released a patch for it. I think it was more towards PTH attacks but maybe it blocks PsExec also?

    https://www.microsoft.com/en-us/down...34bcdd6d2=True

    Other then that, this is outside the scope of what I know. Best of luck!
    2017:E|CSA E|CSP,E|CIH,eLearnSecurity,CSA+ Courses 2018: C|ND,ICND2,CCSK,CISSP,CCNA-Security 2019: CWNA 2020: LPIC-2
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks