title: Lateral Movement via [TECHNIQUE]
id: GENERATE-NEW-UUID
status: experimental
description: Detects lateral movement activity using [specific technique/tool]
references:
    - https://attack.mitre.org/tactics/TA0008/
author: Your Name
date: 2024/01/20
modified: 2024/01/20
tags:
    - attack.lateral_movement
    - attack.t1021  # Replace with specific technique
logsource:
    category: process_creation  # or network_connection, authentication
    product: windows
detection:
    selection:
        # Define your detection criteria
        # Examples:
        # ParentImage|endswith: '\services.exe'
        # CommandLine|contains: 'psexec'
        # LogonType: 3  # Network logon
    filter_legitimate:
        # Add filters for known false positives
        # User|contains: 'SVC_'
    condition: selection and not filter_legitimate
falsepositives:
    - Legitimate administrative activity
    - Scheduled tasks
    - IT operations
level: high
fields:
    - ComputerName
    - User
    - SourceIp
    - DestinationIp
    - CommandLine

# Common Lateral Movement Techniques:
#
# T1021.001 - Remote Desktop Protocol (RDP)
# detection:
#     selection:
#         EventID: 4624
#         LogonType: 10  # RemoteInteractive
#
# T1021.002 - SMB/Windows Admin Shares
# detection:
#     selection:
#         EventID: 5140
#         ShareName|endswith:
#             - 'ADMIN$'
#             - 'C$'
#
# T1021.006 - Windows Remote Management (WinRM)
# detection:
#     selection:
#         EventID: 4624
#         LogonType: 3
#         AuthenticationPackageName: 'Negotiate'
#         ProcessName|endswith: '\wsmprovhost.exe'
#
# T1550.002 - Pass the Hash
# detection:
#     selection:
#         EventID: 4624
#         LogonType: 3
#         LogonProcessName: 'NtLmSsp'
#         AuthenticationPackageName: 'NTLM'