Detecting Lateral Movement through Tracking Event Logs

[c904370]

Hi,

Just wanted to point you out to a research paper of JPCERT in regards to "Detecting Lateral Movement through Tracking Event Logs".
Windows Event Logs generated because of 44 typical tools and commands, used for lateral movement, were analysed.

I think it will be a great resource for creating Sigma rules for detecting lateral movement in Windows environments.

Here is the link to the article: http://blog.jpcert.or.jp/2017/06/1-ae0d.html
And here is the link to the PDF: https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf

[thomaspatzke]

Hi! Thanks for the pointer! I picked up the nice work from JPCERT few weeks ago and created some Sigma rules from it, at least:

• windows/builtin/win_mal_wceaux_dll.yml
• windows/builtin/win_susp_sdelete.yml
• windows/other/win_tool_psexec.yml

resulted from this work. Others, like windows/sysmon/sysmon_password_dumper_lsass.yml were already contained in the rule set from our own research.

Unfortunately, most tools cause only very generic log entries. Searching for them in a Windows environment would result in huge noise, so I didn't created rules for these. I still have a list of chapters from the JPCERT document where I have to check, if the indicators are specific enough to create Sigma rules from it.