+ Reply to Thread
Results 1 to 7 of 7
  1. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,343

    Certifications
    CISSP, CISM, CISA, GPEN, GCIA, GCIH, C|EH, and more.
    #1

    Default Detecting lateral movement

    I'm hoping someone here can provide some tips on detecting lateral movement (specifically to domain controllers).

    I want to build some Sourcefire and/or QRadar rules related to the following:

    PS-Exec
    WMI
    DCOM
    WinRM
    RDP
    Remote scheduled tasks
    Remote registry

    I've been browsing the web and haven't quite found what I am looking for so hoping some board members can recommend some good resources.

    Thanks in advance!
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

  2. SS
  3. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,596

    Certifications
    GPEN, GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #2
    evidence of execution of those services via splunk or any SIEM you use? or you're looking for the actual rules?
    Goal: MBA, March 2020
    Reply With Quote Quote  

  4. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,811

    Certifications
    CISSP, CCIE Sec, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+
    #3
    I would also probably include some Netflow/sFlow/whatever probes in there as well to detect the actual network traffic that doesn't pass through the IPS if possible.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  5. Senior Member kMastaFlash's Avatar
    Join Date
    Aug 2012
    Posts
    973

    Certifications
    A+,Network+,Security+,EMCISA,MCP,CCENT,CCNA R&S,C|EH,C|HFI,Linux+,LPIC-1,E|CSS,E|CES,GPEN,OSWP,Server+,LPT,GCIH,E|CIH,E|CSA,JNCIA,CPTE,CPTC,eJPT,GNFA
    #4
    for PsExec based attacks, I think Microsoft released a patch for it. I think it was more towards PTH attacks but maybe it blocks PsExec also?

    https://www.microsoft.com/en-us/down...34bcdd6d2=True

    Other then that, this is outside the scope of what I know. Best of luck!
    2018: E|CSP,CCNA-Security,CSA+,CCNA Cyber Ops
    2019: CCSK,CISSP,CWNA
    2020: LPIC-2,eLearnSecurity Courses
    Reply With Quote Quote  

  6. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,343

    Certifications
    CISSP, CISM, CISA, GPEN, GCIA, GCIH, C|EH, and more.
    #5
    Thanks for the responses!

    @ UnixGuy - I am looking for actual rules.
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

  7. Senior Member si20's Avatar
    Join Date
    May 2014
    Location
    UK
    Posts
    460

    Certifications
    MCDST, MCP, BSc Computer Forensics, MTA: 98-366, OSWP, OSCP, FJSE, ACE, PGCert, Linux+, Sec+
    #6
    Good luck finding any rules... When I was a senior sec analyst, I was working with a couple of guys who were supposed to help me create lateral movement rules - turns out that half the team didn't know what lateral movement was, half the team didn't have any security certs, all of the team had never done any pen-testing and didn't know what an attack looked like... so they hired a 3rd party contractor to come in and write the rules. The guy wrote the rules, charged $$$$$ and then left, presumably laughing all the way to the bank.

    When we figured out there was no documentation, the manager sent the team on $5,000 SANS courses. Half the team failed. Those who passed left the company. You see where this is going: it never happened.

    So in the end, I implemented what you're talking about e.g scheduled tasks etc, looking for PS-Exec traces and ultimately, found absolutely nothing. Sorry to be the bearer of bad news, but the only people who legitimately can create rules like that, are contractors who go from company to company charging big bucks for it. And then you've got to ask yourself, even if you get the rules, are they actually going to detect anything? A ruleset is only as good as the traffic fed into it - and most places i've worked at were feeding junk, into junk rules and expecting to find 0-days.
    Future certs: CEH v10 (maybe)
    Reply With Quote Quote  

  8. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,343

    Certifications
    CISSP, CISM, CISA, GPEN, GCIA, GCIH, C|EH, and more.
    #7
    Thanks si20!
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks