SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations

Lateral Movement (MITRE ATT&CK: T1076, T1021)

Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.

Lateral Movement (MITRE ATT&CK: T1076, T1021)

Overview:

Lateral movement involves attackers gaining access to additional systems within the network after an initial compromise. Techniques include using RDP, SMB, or administrative tools like PsExec to move between hosts.

25 Eample Queries for Lateral Movement Detection:

  1. Track RDP Logins (RemoteInteractive Logon Type) RDP logons can be used for lateral movement to access remote systems.

DeviceLogonEvents | where LogonType == "RemoteInteractive" and ActionType == "LogonSuccess" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Detect PsExec Use for Remote Command Execution PsExec is a popular tool for executing commands on remote systems.

DeviceProcessEvents | where FileName == "psexec.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor SMB Traffic for Lateral Movement SMB (Port 445) can be used for file transfer and lateral movement between systems.

DeviceNetworkEvents | where RemotePort == 445 and ActionType == "ConnectionSuccess" | summarize count() by DeviceName, RemoteIP

  1. Detect Remote PowerShell Sessions for Lateral Movement PowerShell remoting is often used for lateral movement within a Windows environment.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "New-PSSession" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Use of WMI for Remote Code Execution WMI can be used to execute commands remotely on other systems.

DeviceProcessEvents | where FileName == "wmic.exe" and ProcessCommandLine has_any ("process call", "os get") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Remote Service Creation (SC.exe) SC.exe is used to create or modify services on remote systems for lateral movement.

DeviceProcessEvents | where FileName == "sc.exe" and ProcessCommandLine has "create" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect New Scheduled Tasks for Lateral Movement Scheduled tasks may be created on remote systems to maintain persistence or execute code.

DeviceProcessEvents | where FileName == "schtasks.exe" and ProcessCommandLine has "create" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Lateral Movement via Administrative Shares (e.g., ADMIN$) Attackers may use administrative shares for lateral movement.

DeviceNetworkEvents | where RemotePort == 445 and FileShare == "ADMIN$" | summarize count() by DeviceName, RemoteIP

  1. Monitor Use of Net Use for Remote Drive Mapping Net use can be used to map network drives and facilitate lateral movement.

DeviceProcessEvents | where FileName == "net.exe" and ProcessCommandLine has "use" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect RDP Logon Attempts from Unusual IPs Unusual RDP logon attempts may indicate unauthorized lateral movement.

DeviceLogonEvents | where LogonType == "RemoteInteractive" and RemoteIP not in (expected_ips) | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track Use of WinRM for Remote Command Execution WinRM is commonly used for remote administration and lateral movement.

DeviceProcessEvents | where FileName == "winrm.cmd" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Use of Remote Desktop for Unusual Sessions RDP may be used to move laterally and establish persistence.

DeviceProcessEvents | where FileName == "mstsc.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Detect Unusual Administrative Logon Activity (Event ID 4672) Tracking privileged logons can help detect lateral movement via administrative accounts.

DeviceEvents | where EventID == 4672 | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track SMB Logons via Pass-the-Hash Techniques Pass-the-Hash can be used for lateral movement by leveraging NTLM hashes.

DeviceLogonEvents | where AuthenticationPackage == "NTLM" and LogonType == "Network" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Monitor Remote Access via Non-Standard Ports (RDP) RDP access via non-standard ports may indicate lateral movement.

DeviceNetworkEvents | where RemotePort != 3389 and RemotePort between (1024 .. 65535) | summarize count() by DeviceName, RemoteIP, RemotePort

  1. Detect Lateral Movement via Hidden Network Shares Hidden network shares (e.g., C$, ADMIN$) may be used for lateral movement.

DeviceNetworkEvents | where FileShare in ("C$", "ADMIN$") | summarize count() by DeviceName, RemoteIP

  1. Monitor PowerShell Remoting Commands for Lateral Movement PowerShell remoting commands such as Enter-PSSession may be used for lateral movement.

DeviceProcessEvents | where FileName == "powershell.exe" and ProcessCommandLine has "Enter-PSSession" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track SMB Traffic for Remote File Access (Port 445) SMB traffic to shared folders may indicate lateral movement activities.

DeviceNetworkEvents | where RemotePort == 445 and ActionType == "ConnectionSuccess" | summarize count() by DeviceName, RemoteIP, FileShare

  1. Detect Remote File Transfers via SMB (Net Use Commands) Net use commands may be used to transfer files over SMB for lateral movement.

DeviceProcessEvents | where FileName == "net.exe" and ProcessCommandLine has "use" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Network Scanning Tools Used for Lateral Movement (e.g., Nmap) Network scanning tools like Nmap may be used to identify targets for lateral movement.

DeviceProcessEvents | where FileName in ("nmap.exe", "masscan.exe") | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Track Access to Hidden Administrative Shares (IPC$) Access to IPC$ shares may be indicative of lateral movement or reconnaissance.

DeviceNetworkEvents | where FileShare == "IPC$" | summarize count() by DeviceName, RemoteIP

  1. Detect Use of WMI for Remote Service Creation WMI may be used to create services on remote systems for lateral movement.

DeviceProcessEvents | where FileName == "wmic.exe" and ProcessCommandLine has "create" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Remote Desktop Sessions from Unusual Geographic Locations RDP sessions from unexpected locations may indicate lateral movement or unauthorized access.

DeviceLogonEvents | where LogonType == "RemoteInteractive" and GeoLocation != "expected_geo" | summarize count() by AccountName, DeviceName, RemoteIP

  1. Track Use of Administrative Tools for Remote Access (e.g., WinSCP) Tools like WinSCP may be used for remote access and file transfer during lateral movement.

DeviceProcessEvents | where FileName == "winscp.exe" | summarize count() by DeviceName, InitiatingProcessAccountName, ProcessCommandLine

  1. Monitor Use of RDP for Unusual Logon Times (Off-Hours Access) RDP logons during unusual hours may indicate unauthorized lateral movement.

DeviceLogonEvents | where LogonType == "RemoteInteractive" and todatetime(Timestamp) between (datetime(00:00) and datetime(06:00)) | summarize count() by AccountName, DeviceName, RemoteIP
PreviousCredential Theft (MITRE ATT&CK: T1003, T1078)NextData Theft (MITRE ATT&CK: T1041, T1071)

Last updated