You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just wanted to point you out to a research paper of JPCERT in regards to "Detecting Lateral Movement through Tracking Event Logs".
Windows Event Logs generated because of 44 typical tools and commands, used for lateral movement, were analysed.
I think it will be a great resource for creating Sigma rules for detecting lateral movement in Windows environments.
Hi! Thanks for the pointer! I picked up the nice work from JPCERT few weeks ago and created some Sigma rules from it, at least:
windows/builtin/win_mal_wceaux_dll.yml
windows/builtin/win_susp_sdelete.yml
windows/other/win_tool_psexec.yml
resulted from this work. Others, like windows/sysmon/sysmon_password_dumper_lsass.yml were already contained in the rule set from our own research.
Unfortunately, most tools cause only very generic log entries. Searching for them in a Windows environment would result in huge noise, so I didn't created rules for these. I still have a list of chapters from the JPCERT document where I have to check, if the indicators are specific enough to create Sigma rules from it.
Hi,
Just wanted to point you out to a research paper of JPCERT in regards to "Detecting Lateral Movement through Tracking Event Logs".
Windows Event Logs generated because of 44 typical tools and commands, used for lateral movement, were analysed.
I think it will be a great resource for creating Sigma rules for detecting lateral movement in Windows environments.
Here is the link to the article: http://blog.jpcert.or.jp/2017/06/1-ae0d.html
And here is the link to the PDF: https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
The text was updated successfully, but these errors were encountered: