Detecting Lateral Movement
Detecting Lateral Movement
Almost two years ago, I posted this article that addressed how to track lateral movement within an infrastructure. At the time, Id been using this information successfully during engagements, and I still use it today.
This morning, I saw this video from Rapid7, and I thought that Mike did a great job with the presentation. Mike made some very good points during his presentation. For example, "SMB" is native to a Windows infrastructure, and with the right credentials, an adversary can go just about anywhere they please.
There were some things missing in the presentation, some caveats that need to be mentioned; I do understand that they were likely left out for the sake of time. However, they are important. For example:
Security-Auditing/4698 events - Scheduled Task creation; under Advanced Security Audit Policy settings, for Object Access, you need to have Audit Other Object Access Events enabled for this event to appear in your Windows Event Logs.
Security-Auditing/4697 events - Service installation; similar to the previous events, systems are not configured to audit for system creation via the Security Event Log by default.
So, the take-away here is that in order for these (and other) events to be useful, what admins need to do is properly configure auditing on systems, as well as employ a SEIM with some sort of filtering capability. Increasing auditing alone will not be useful...Ive seen that time and time again when an incident is identified; auditing is ramped up suddenly, and the Security Event Logs start filling up and rolling over in a matter of a few hours, causing valuable information to be lost. The best thing to do is to enable auditing that makes sense within your infrastructure ahead of time, employing the appropriate settings (what to audit, increasing the default size of the Windows Event Log files, etc.) before an incident occurs.
Also, consider the use of MSs Sysmon, sending the collected data to a SEIM (Splunk??). Monitoring process creation (including the command line) is extremely valuable, and not just in incident response. For IR, having the process creation information available (along with a means to monitor it in a timely manner) reduces IR engagements from days or weeks to hours or even minutes. If setting up Sysmon, Splunk, and filters is too daunting a task, consider employing something like Carbon Black.
Thanks to Rapid7 for sharing the video...its some great information.
Resources
Description of Security Events in Windows 7/Windows Server 2008 R2