Lateral Movement Content Pack

Document created by RSA Information Design and Development on Jul 20, 2016Last modified by RSA Information Design and Development on Oct 8, 2018
Version 154Show Document
  • View in full screen mode
 

Lateral movement is a part of the kill chain. After an attack has taken place, which allows entry into a company’s internal environment, lateral movement is the process of elevating credentials and gaining access to additional internal systems. This package of content contains a set of rules that monitor Windows system for lateral movement.

Figure 1. Advanced Persistent Threat Kill Chain.

The Lateral Movement Content Pack:

  • Identifies suspicious Windows login activity to reveal lateral movement attempts

  • Leverages Windows log activity
  • Is delivered as combination of App rules, ESA, and Reports via Live

Attack Overview

In a lateral movement scenario, the attacker gains access to a machine on the internal network. This may be a domain controller or a user’s endpoint machine. The process may involve privilege escalation on the attacker system or represent existing compromise of domain administrator account or local administrator account. Once the attacker has elevated privileges on the compromised system, then the focus becomes gaining access to additional systems on the network.

The figure below shows the typical flow of an attacker using elevated privileges or via pass-the-hash, using a network share point to copy a backdoor and execute that backdoor either through a scheduled service, job or other tool for remote execution.

Figure 2. Typical Lateral Movement attack flow through a network

Requirements and Performance Considerations

When implementing the Lateral Movement content pack, keep in the mind the following:

  • Logging is NOT typically enabled on workstations with most customers: typically only on servers.

  • A Windows log parser, enabled, in order to collect logs. Requires either winevent_nic, winevent_snare, or winevent_er.
  • If you enable logging on workstations, this greatly increases how many Events Per Second are captured

  • Items that could be limited to just high value assets (for example Domain controllers): Windows Credential Harvesting Service Application Rule

  • Rules that would require collection from all endpoints:
    • ESA Rule: Lateral Movement Suspected Windows
    • Application Rule: Windows NTLM Network Logon Successful
  • Place the log collector / decoder to monitor endpoint traffic and high value internal systems such as domain controllers
  • Download content from Live and deploy to the appropriate component

See the individual rule descriptions for any additional logging requirements.

Dependencies

To use the content pack, the following parsers, feeds, and custom meta are required:

  • A high-value asset custom feed, and custom meta keys event.computer, service.name, disposition, fd.hva.group and fd.escalate.

    See the Create Meta and Feed for Lateral Movement topic for more details.

  • This content pack depends on the following reports and rules:
    • Application Rule: Windows NTLM Network Logon Successful
    • Application Rule: Windows Credential Harvesting Services
    • Report: Lateral Movement Indicators - Windows
    • ESA Rule: Lateral Movement Suspected Windows

Event IDs Used in Rules

A summary of the windows event IDs used within the rules is below.

                                                                         
Event IDDescriptionEvent SourceSupported OSIncreased Logging Required?

528

Successful Logon

Security Auditing

Windows Server 2000

Windows 2003 and XP

No

540

Successful Logon

Security Auditing

Windows Server 2000

Windows 2003 and XP

No

4624

Successful Logon

Security Auditing

Windows 2008 R2 and 7

Windows 2012 R2 and 8.1

Windows 2016 and 10

No

552

Logon attempt using explicit credentials

Security Auditing

Windows Server 2000

Windows 2003 and XP

No

4648

Logon attempt using explicit credentials

Security Auditing

Windows 2008 R2 and 7

Windows 2012 R2 and 8.1

Windows 2016 and 10

No

5145

A network share object was checked to see whether client can be granted desired access

Security Auditing

Windows 2008 R2 and 7

Windows 2012 R2 and 8.1

Windows 2016 and 10

Detailed file audit logging must be enabled for the file copy event to be recorded.

 

7045

A service was installed on the system

Service Control Manager

All

No

7036

A service was started on the system

Service Control Manager

All

No

Rules and Reports Details

This section details the rules and reports that form the core of the Lateral Movement Content Pack. It also contains a table that lists the Windows Event IDs used in the rules that comprise the Lateral Movement pack.

Application Rule: Windows NTLM Network Logon Successful

Indicates a possible pass-the-hash attack on Windows systems configured to use the NTLM authentication protocol. This rule does not apply to systems that use the Kerberos authentication protocol.

The rule reduces false positives for anonymous logons and eliminates all DC or machine logons by removing any user names that end in a $.  We recommend that within the rule logic, you exclude the domain for which the Domain Controller is responsible.

Rule Logic:

name=nw30060 rule="reference.id='528',’540’,'4624' && logon.type='3' && process='NtLmSsp' && user.dst!='ANONYMOUS LOGON' && NOT(user.dst ends '$')"

Within the SA UI Investigation page, you should see the risk.info meta key populated with the name of the application rule.

Application Rule: Windows Credential Harvesting Services

This rule monitors the installation of Windows services known to be used for pass the hash and brute force attacks. These may include psexec, wce, pwdump, cachedump, gsecdump.

Rule Logic:

name=nw05415 rule="reference.id='7045' && service.name begins 'wce','psexe','pwdump','cachedump','gsecdump'"

Within the SA UI Investigation page, you should see the risk.suspicious meta key populated with the name of the application rule.

Report: Lateral Movement Indicators - Windows

This report displays the possible indicators of lateral movement on Windows systems by displaying the results of the 2 application rules described earlier within this document.

The third report rule, Windows Logon to High Value Assets, is meant to summarize logons by high value assets so that anomalies may be determined. The high value assets are determined through a custom feed that populates custom meta keys of fd.hva.group and fd.escalate based on a callback to the event.computer (or device.ip) meta key.

See Create Meta and Feed for Lateral Movement for details about the custom feed and meta required by this report.

Screenshots of the report output are below.

Figure 3. Details of the rules used in the Lateral Movement Indicators - Windows report.

Figure 4. Details of the Windows Credential Harvesting Service rule.

Figure 5. Details of the Windows NTLM Network Logon Successful rule.

Figure 6. Details of the Windows High Value Assets rule.

ESA Rule: Lateral Movement Suspected Windows

Detects within a Windows environment a sequence of events in which an executable is copied to a file share, the executable is used to create a new service and the service is started within 5 minutes. The sequence of events may indicate an attacker moving laterally by executing a backdoor on a victim machine from an already compromised system.

Note the following:

  • The time window is configurable.
  • All events must be logged for the same event computer.
  • Detailed file audit logging must be enabled for the file copy event to be recorded.
  • Requires enabling of a Microsoft Windows log parser (winevent_nic, winevent_er, or winevent_snare).
  • Uses non-standard meta keys of event.computer, service.name and disposition and so they must be made available to the Log Decoder and Concentrator.

Figure 7. Lateral Movement Suspected ESA Rule Syntax Details.

Figure 8. ESA Rule Logic explained.

Figure 9. Example of the Lateral Movement Suspected ESA Rule Triggered.

Conclusion

Using tools such as RSA NetWitness Platform in an enterprise can help to identify incidents early, before sensitive data has actually been accessed or exfiltrated. Decreasing the time to detection is critical when dealing with sensitive data, and having this situational awareness can initiate a quicker incident response and reduce the overall exposure. NetWitness provides organizations with the capability to discover and mitigate attacks before they become major incidents. Focusing on broad and early detection of malicious activity should always be a priority to organizations.

Related Procedures 

For more details on some of the NetWitness procedures described in this topic, see the following:

Previous Topic:Known Threats Pack
Next Topic:Hunting Pack
You are here
Table of Contents > RSA NetWitness Platform Content > Bundles > Lateral Movement Content Pack

Attachments

    Outcomes