+ Reply to Thread
Results 1 to 7 of 7
  1. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,174

    Certifications
    CISSP, CISM, GCIA, GCIH, C|EH, and more.
    #1

    Default Detecting lateral movement

    I'm hoping someone here can provide some tips on detecting lateral movement (specifically to domain controllers).

    I want to build some Sourcefire and/or QRadar rules related to the following:

    PS-Exec
    WMI
    DCOM
    WinRM
    RDP
    Remote scheduled tasks
    Remote registry

    I've been browsing the web and haven't quite found what I am looking for so hoping some board members can recommend some good resources.

    Thanks in advance!
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

  2. SS -->
  3. Are we having fun yet? UnixGuy's Avatar
    Join Date
    Mar 2008
    Posts
    3,363

    Certifications
    GCFA, eJPT, RHCE, Solaris 10, SNIA SCSP, Security+, Server+, ITILv3, CCNA (Expired)
    #2
    evidence of execution of those services via splunk or any SIEM you use? or you're looking for the actual rules?
    Goal: GCFA (DONE), GPEN
    Reply With Quote Quote  

  4. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,727

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #3
    I would also probably include some Netflow/sFlow/whatever probes in there as well to detect the actual network traffic that doesn't pass through the IPS if possible.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  5. Senior Member kMastaFlash's Avatar
    Join Date
    Aug 2012
    Posts
    904

    Certifications
    A+, Network+,Security+, DECA-ISM v2, MCP, MTAx2 , CCENT, CCNA R&S,C|EH,C|HFI,Linux+,LPIC-1,E|CSS,E|CES,GPEN,OSWP,Server+,LPT,GCIH,E|CIH
    #4
    for PsExec based attacks, I think Microsoft released a patch for it. I think it was more towards PTH attacks but maybe it blocks PsExec also?

    https://www.microsoft.com/en-us/down...34bcdd6d2=True

    Other then that, this is outside the scope of what I know. Best of luck!
    2017:E|CSA 2018: C|ND,ICND2,E|CSP,CISSP,CCNA-Security,CSA+,GWAPT,CCSK,eCRE,GXPN 2019: CWNA,OSCP Retake, eLearnSecurity courses 2020: LPIC-2
    Reply With Quote Quote  

  6. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,174

    Certifications
    CISSP, CISM, GCIA, GCIH, C|EH, and more.
    #5
    Thanks for the responses!

    @ UnixGuy - I am looking for actual rules.
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

  7. Senior Member si20's Avatar
    Join Date
    May 2014
    Location
    UK
    Posts
    427

    Certifications
    MCDST, MCP, BSc Computer Forensics, MTA: 98-366, OSWP, OSCP, FJSE, ACE, PGCert, Linux+
    #6
    Good luck finding any rules... When I was a senior sec analyst, I was working with a couple of guys who were supposed to help me create lateral movement rules - turns out that half the team didn't know what lateral movement was, half the team didn't have any security certs, all of the team had never done any pen-testing and didn't know what an attack looked like... so they hired a 3rd party contractor to come in and write the rules. The guy wrote the rules, charged $$$$$ and then left, presumably laughing all the way to the bank.

    When we figured out there was no documentation, the manager sent the team on $5,000 SANS courses. Half the team failed. Those who passed left the company. You see where this is going: it never happened.

    So in the end, I implemented what you're talking about e.g scheduled tasks etc, looking for PS-Exec traces and ultimately, found absolutely nothing. Sorry to be the bearer of bad news, but the only people who legitimately can create rules like that, are contractors who go from company to company charging big bucks for it. And then you've got to ask yourself, even if you get the rules, are they actually going to detect anything? A ruleset is only as good as the traffic fed into it - and most places i've worked at were feeding junk, into junk rules and expecting to find 0-days.
    Plans for early 2018: CompTIA Security+
    Plans for 2018/Beyond: MTA Software Development Fundamentals and see where that takes me
    Reply With Quote Quote  

  8. Senior Member E Double U's Avatar
    Join Date
    Apr 2014
    Location
    The Netherlands
    Posts
    1,174

    Certifications
    CISSP, CISM, GCIA, GCIH, C|EH, and more.
    #7
    Thanks si20!
    "You tried your best and you failed miserably. The lesson is, never try." - Homer Simpson
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks