Lateral Movement Content Pack
Lateral movement is a part of the kill chain. After an attack has taken place, which allows entry into a company’s internal environment, lateral movement is the process of elevating credentials and gaining access to additional internal systems. This package of content contains a set of rules that monitor Windows system for lateral movement.
Figure 1. Advanced Persistent Threat Kill Chain.
The Lateral Movement Content Pack:
-
Identifies suspicious Windows login activity to reveal lateral movement attempts
- Leverages Windows log activity
-
Is delivered as combination of App rules, ESA, and Reports via Live
Attack Overview
In a lateral movement scenario, the attacker gains access to a machine on the internal network. This may be a domain controller or a user’s endpoint machine. The process may involve privilege escalation on the attacker system or represent existing compromise of domain administrator account or local administrator account. Once the attacker has elevated privileges on the compromised system, then the focus becomes gaining access to additional systems on the network.
The figure below shows the typical flow of an attacker using elevated privileges or via pass-the-hash, using a network share point to copy a backdoor and execute that backdoor either through a scheduled service, job or other tool for remote execution.
Figure 2. Typical Lateral Movement attack flow through a network
Requirements and Performance Considerations
When implementing the Lateral Movement content pack, keep in the mind the following:
-
Logging is NOT typically enabled on workstations with most customers: typically only on servers.
- A Windows log parser, enabled, in order to collect logs. Requires either winevent_nic, winevent_snare, or winevent_er.
-
If you enable logging on workstations, this greatly increases how many Events Per Second are captured
-
Items that could be limited to just high value assets (for example Domain controllers): Windows Credential Harvesting Service Application Rule
- Rules that would require collection from all endpoints:
- ESA Rule: Lateral Movement Suspected Windows
- Application Rule: Windows NTLM Network Logon Successful
- Place the log collector / decoder to monitor endpoint traffic and high value internal systems such as domain controllers
- Download content from Live and deploy to the appropriate component
See the individual rule descriptions for any additional logging requirements.
Dependencies
To use the content pack, the following parsers, feeds, and custom meta are required:
-
A high-value asset custom feed, and custom meta keys event.computer, service.name, disposition, fd.hva.group and fd.escalate.
See the Create Meta and Feed for Lateral Movement topic for more details.
- This content pack depends on the following reports and rules:
- Application Rule: Windows NTLM Network Logon Successful
- Application Rule: Windows Credential Harvesting Services
- Report: Lateral Movement Indicators - Windows
- ESA Rule: Lateral Movement Suspected Windows
Event IDs Used in Rules
A summary of the windows event IDs used within the rules is below.
| Event ID | Description | Event Source | Supported OS | Increased Logging Required? |
|---|---|---|---|---|
|
528 |
Successful Logon |
Security Auditing |
Windows Server 2000 Windows 2003 and XP |
No |
|
540 |
Successful Logon |
Security Auditing |
Windows Server 2000 Windows 2003 and XP |
No |
|
4624 |
Successful Logon |
Security Auditing |
Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 |
No |
|
552 |
Logon attempt using explicit credentials |
Security Auditing |
Windows Server 2000 Windows 2003 and XP |
No |
|
4648 |
Logon attempt using explicit credentials |
Security Auditing |
Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 |
No |
|
5145 |
A network share object was checked to see whether client can be granted desired access |
Security Auditing |
Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 |
Detailed file audit logging must be enabled for the file copy event to be recorded.
|
|
7045 |
A service was installed on the system |
Service Control Manager |
All |
No |
|
7036 |
A service was started on the system |
Service Control Manager |
All |
No |
Rules and Reports Details
This section details the rules and reports that form the core of the Lateral Movement Content Pack. It also contains a table that lists the Windows Event IDs used in the rules that comprise the Lateral Movement pack.
- Application Rule: Windows NTLM Network Logon Successful
- Application Rule: Windows Credential Harvesting Services
- Report: Lateral Movement Indicators - Windows
- ESA Rule: Lateral Movement Suspected Windows
Application Rule: Windows NTLM Network Logon Successful
Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems that use the Kerberos authentication protocol.
The rule reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any user names that end in a $. We recommend that within the rule logic, you exclude the domain for which the Domain Controller is responsible.
Rule Logic:
name=nw30060 rule="reference.id='528',’540’,'4624' && logon.type='3' && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')"
Within the SA UI Investigation page, you should see the risk.info meta key populated with the name of the application rule.
Application Rule: Windows Credential Harvesting Services
This rule monitors the installation of Windows services known to be used for pass the hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, gsecdump.
Rule Logic:
name=nw05415 rule="reference.id='7045' && service.name begins 'wce','psexe','pwdump','cachedump','gsecdump'"
Within the SA UI Investigation page, you should see the risk.suspicious meta key populated with the name of the application rule.
Report: Lateral Movement Indicators - Windows
This report displays the possible indicators of lateral movement on Windows systems by displaying the results of the 2 application rules described earlier within this document.
The third report rule, Windows Logon to High Value Assets, is meant to summarize logons by high value assets so that anomalies may be determined. The high value assets are determined through a custom feed that populates custom meta keys of fd.hva.group and fd.escalate based on a callback to the event.computer (or device.ip) meta key.
See Create Meta and Feed for Lateral Movement for details about the custom feed and meta required by this report.
Screenshots of the report output are below.
Figure 3. Details of the rules used in the Lateral Movement Indicators - Windows report.
Figure 4. Details of the Windows Credential Harvesting Service rule.
Figure 5. Details of the Windows NTLM Network Logon Successful rule.
Figure 6. Details of the Windows High Value Assets rule.
ESA Rule: Lateral Movement Suspected Windows
Detects within a Windows environment a sequence of events in which an executable is copied to a file share, the executable is used to create a new service and the service is started within 5 minutes. The sequence of events may indicate an attacker moving laterally by executing a backdoor on a victim machine from an already compromised system.
Note the following:
- The time window is configurable.
- All events must be logged for the same event computer.
- Detailed file audit logging must be enabled for the file copy event to be recorded.
- Requires enabling of a Microsoft Windows log parser (winevent_nic, winevent_er, or winevent_snare).
- Uses non-standard meta keys of event.computer, service.name and disposition and so they must be made available to the Log Decoder and Concentrator.
Figure 7. Lateral Movement Suspected ESA Rule Syntax Details.
Figure 8. ESA Rule Logic explained.
Figure 9. Example of the Lateral Movement Suspected ESA Rule Triggered.
Conclusion
Using tools such as RSA NetWitness Platform in an enterprise can help to identify incidents early, before sensitive data has actually been accessed or exfiltrated. Decreasing the time to detection is critical when dealing with sensitive data, and having this situational awareness can initiate a quicker incident response and reduce the overall exposure. NetWitness provides organizations with the capability to discover and mitigate attacks before they become major incidents. Focusing on broad and early detection of malicious activity should always be a priority to organizations.
For more details on some of the NetWitness procedures described in this topic, see the following:
