70 lines
1.8 KiB
YAML
70 lines
1.8 KiB
YAML
title: Lateral Movement via [TECHNIQUE]
|
|
id: GENERATE-NEW-UUID
|
|
status: experimental
|
|
description: Detects lateral movement activity using [specific technique/tool]
|
|
references:
|
|
- https://attack.mitre.org/tactics/TA0008/
|
|
author: Your Name
|
|
date: 2024/01/20
|
|
modified: 2024/01/20
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.t1021 # Replace with specific technique
|
|
logsource:
|
|
category: process_creation # or network_connection, authentication
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
# Define your detection criteria
|
|
# Examples:
|
|
# ParentImage|endswith: '\services.exe'
|
|
# CommandLine|contains: 'psexec'
|
|
# LogonType: 3 # Network logon
|
|
filter_legitimate:
|
|
# Add filters for known false positives
|
|
# User|contains: 'SVC_'
|
|
condition: selection and not filter_legitimate
|
|
falsepositives:
|
|
- Legitimate administrative activity
|
|
- Scheduled tasks
|
|
- IT operations
|
|
level: high
|
|
fields:
|
|
- ComputerName
|
|
- User
|
|
- SourceIp
|
|
- DestinationIp
|
|
- CommandLine
|
|
|
|
# Common Lateral Movement Techniques:
|
|
#
|
|
# T1021.001 - Remote Desktop Protocol (RDP)
|
|
# detection:
|
|
# selection:
|
|
# EventID: 4624
|
|
# LogonType: 10 # RemoteInteractive
|
|
#
|
|
# T1021.002 - SMB/Windows Admin Shares
|
|
# detection:
|
|
# selection:
|
|
# EventID: 5140
|
|
# ShareName|endswith:
|
|
# - 'ADMIN$'
|
|
# - 'C$'
|
|
#
|
|
# T1021.006 - Windows Remote Management (WinRM)
|
|
# detection:
|
|
# selection:
|
|
# EventID: 4624
|
|
# LogonType: 3
|
|
# AuthenticationPackageName: 'Negotiate'
|
|
# ProcessName|endswith: '\wsmprovhost.exe'
|
|
#
|
|
# T1550.002 - Pass the Hash
|
|
# detection:
|
|
# selection:
|
|
# EventID: 4624
|
|
# LogonType: 3
|
|
# LogonProcessName: 'NtLmSsp'
|
|
# AuthenticationPackageName: 'NTLM'
|