Lateral Movement Discovery
Introduction
PowerShell is a vital tool for security operations (SecOps), offering powerful capabilities to manage systems, automate processes, and investigate security incidents. Its deep integration with Windows, flexibility, and robust scripting capabilities make it a go-to tool for Digital Forensics and Incident Response (DFIR). One of its critical applications in DFIR is uncovering Lateral Movement Discovery activities. Lateral movement involves attackers navigating through a network to escalate privileges, access sensitive resources, or maintain persistence. PowerShell allows SecOps teams to efficiently detect and investigate these activities, providing actionable insights to mitigate threats and protect enterprise networks.
Capabilities of PowerShell for Lateral Movement Discovery in DFIR
1. Detecting Unauthorised Credential Use:
PowerShell enables analysts to identify the use of compromised credentials during lateral movement. This includes tracking unusual logins, remote session creations, or suspicious account activities across endpoints.
2. Monitoring Remote Execution Attempts:
Attackers often leverage remote execution tools and protocols like PowerShell Remoting, WMI, or PsExec to move laterally. PowerShell can detect these activities by querying logs, inspecting process creations, and analysing command-line arguments.
3. Investigating File and Payload Transfers:
PowerShell can help uncover unauthorised file transfers, such as malicious payloads being moved between systems. This includes monitoring shared directories, network drives, and suspicious use of file copy tools like robocopy or custom scripts.
4. Identifying Service and Scheduled Task Abuses:
Attackers frequently create or manipulate services and scheduled tasks on remote systems to execute malicious code. PowerShell allows for the enumeration and analysis of these configurations to detect anomalies or unauthorised changes.
5. Analysing Network Connections:
PowerShell provides insights into active and historical network connections, enabling analysts to identify unusual connections between systems that may indicate lateral movement attempts.
6. Detecting Lateral Movement Tools:
Common tools used for lateral movement, such as Mimikatz, Cobalt Strike, or Impacket, leave traces in logs and processes. PowerShell can identify evidence of these tools, as well as their artifacts, across systems.
7. Event Log Analysis for Lateral Movement Patterns:
PowerShell facilitates querying security logs for specific events indicative of lateral movement. This includes analysing Event IDs related to remote logins (e.g., 4624, 4648) or the use of administrative tools like WMI or SMB.
Efficiency Provided by PowerShell in Lateral Movement Discovery
Comprehensive Endpoint Visibility: PowerShell provides access to critical data, such as logs, processes, and network configurations, enabling thorough investigation of lateral movement activities.
Real-Time Detection: PowerShell enables real-time querying and analysis of suspicious activities, allowing security teams to quickly identify and respond to lateral movement attempts.
Scalability: Using PowerShell Remoting, SecOps teams can monitor and investigate lateral movement activities across multiple systems in parallel, making it ideal for enterprise-scale networks.
Automation and Consistency: PowerShell scripts can automate routine discovery tasks, such as log analysis or process enumeration, ensuring consistent detection and reducing manual effort.
Customisable Detection: PowerShell’s scripting flexibility allows analysts to tailor detection mechanisms for specific lateral movement techniques, aligning with frameworks like MITRE ATT&CK.
Integration with Security Tools: PowerShell integrates seamlessly with tools such as Microsoft Sentinel, Defender for Endpoint, and SIEM platforms, enabling enriched detection workflows and automated remediation.
By leveraging PowerShell’s capabilities, SecOps teams can efficiently uncover and analyse lateral movement activities in enterprise networks, enabling rapid containment and strengthening the organisation’s overall security posture.
Lateral Movement Discovery
1. Remote Execution and Access Tools
1.1. Detecting Remote Desktop Protocol (RDP) Usage
Purpose: Identify suspicious use of RDP, which may indicate lateral movement.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Properties[10].Value -eq '10'} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}}1.2. Monitoring for PowerShell Remoting
Purpose: Detect usage of PowerShell Remoting for remote code execution.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4103} | Where-Object {$_.Message -like "*Creating Scriptblock text*"} | Select-Object TimeCreated, @{n='ScriptBlock';e={$_.Message}}2. Pass-the-Hash and Pass-the-Ticket
2.1. Detecting Pass-the-Hash Attacks
Purpose: Monitor for usage of NTLM hashes to authenticate without the actual password.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Properties[8].Value -eq 'NTLM'} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}, @{n='LogonType';e={$_.Properties[10].Value}}2.2. Monitoring for Pass-the-Ticket Attempts
Purpose: Identify suspicious usage of Kerberos tickets that may indicate pass-the-ticket attacks.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object {$_.Properties[8].Value -eq '0x1'} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[5].Value}}3. Remote Services and Scheduled Tasks
3.1. Detecting Remote Service Creation
Purpose: Identify the creation of services on remote systems, often used for lateral movement.
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}, @{n='ServiceFile';e={$_.Properties[5].Value}}3.2. Monitoring Scheduled Tasks on Remote Systems
Purpose: Detect creation of scheduled tasks on remote systems for executing code.
Get-ScheduledTask | Where-Object {$_.Principal.UserId -like "*"} | Select-Object TaskName, Principal, @{n='Actions';e={$_.Actions}}4. File Sharing and Remote File Copy
4.1. Monitoring for Use of Admin Shares
Purpose: Detect the use of administrative shares (e.g., C$) for file transfers.
Get-WmiObject -Query "SELECT * FROM Win32_Share WHERE Name LIKE 'C$' OR Name LIKE 'ADMIN$'" | Select-Object Name, Path4.2. Detecting Remote File Copy Operations
Purpose: Identify file copy operations to or from remote systems, which may indicate lateral movement.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Properties[8].Value -match 'File Read|File Write'} | Select-Object TimeCreated, @{n='ObjectName';e={$_.Properties[6].Value}}5. Credential Harvesting and Stealing
5.1. Monitoring for Credential Dumping Tools
Purpose: Detect the use of tools like Mimikatz for credential harvesting.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[5].Value -match 'mimikatz'} | Select-Object TimeCreated, @{n='ProcessName';e={$_.Properties[5].Value}}, @{n='CommandLine';e={$_.Properties[9].Value}}5.2. Detecting LSASS Memory Access
Purpose: Monitor for access attempts to the LSASS process, which contains credentials.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | Where-Object {$_.Properties[9].Value -match 'lsass.exe'} | Select-Object TimeCreated, @{n='ProcessName';e={$_.Properties[5].Value}}, @{n='HandleID';e={$_.Properties[7].Value}}6. Use of Legitimate Admin Tools
6.1. Detecting PsExec Usage
Purpose: Identify the use of PsExec, a legitimate tool often used for remote execution.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[5].Value -match 'psexec'} | Select-Object TimeCreated, @{n='ProcessName';e={$_.Properties[5].Value}}, @{n='CommandLine';e={$_.Properties[9].Value}}6.2. Monitoring for WMI Remote Command Execution
Purpose: Detect usage of WMI for executing commands remotely.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WMI-Activity/Operational'; ID=5857} | Where-Object {$_.Message -match 'CommandLineEventConsumer'}7. Domain Controller and Active Directory Access
7.1. Monitoring Access to Domain Controllers
Purpose: Detect unauthorized access or enumeration attempts against domain controllers.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4662} | Where-Object {$_.Properties[8].Value -match 'Domain Controller'} | Select-Object TimeCreated, @{n='ObjectName';e={$_.Properties[5].Value}}7.2. Detecting Enumeration of Active Directory
Purpose: Identify attempts to enumerate Active Directory objects, such as users, groups, or computers.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4662} | Where-Object {$_.Properties[5].Value -match 'DS_Replication_*'} | Select-Object TimeCreated, @{n='ObjectName';e={$_.Properties[5].Value}}8. Application and Script Execution
8.1. Detecting Script Execution Across Network
Purpose: Identify the execution of scripts on remote systems.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'Invoke-Command'} | Select-Object TimeCreated, @{n='ScriptBlock';e={$_.Message}}8.2. Monitoring for Malicious Batch Files
Purpose: Detect the execution of batch files that may be used for lateral movement.
Get-ChildItem -Path "C:\Windows\Temp\" -Filter "*.bat" | Select-Object FullName, CreationTime9. Use of Third-Party Remote Access Tools
9.1. Detecting Use of VNC
Purpose: Identify the use of VNC software for remote control.
Get-WmiObject -Class Win32_Process | Where-Object {$_.Name -match "vnc"} | Select-Object Name, ProcessId, CommandLine9.2. Monitoring for TeamViewer Usage
Purpose: Detect the presence and use of TeamViewer for remote sessions.
Get-Process | Where-Object {$_.ProcessName -match 'TeamViewer'} | Select-Object ProcessName, Id, StartTime10. Command and Control (C2) and Beaconing
10.1. Monitoring for Beaconing Activity
Purpose: Detect regular interval connections that may indicate beaconing.
Get-NetTCPConnection | Where-Object {$_.State -eq 'Established' -and $_.RemoteAddress -notin 'KnownGoodIPs'} | Group-Object -Property RemoteAddress | Where-Object {$_.Count -gt 10}10.2. Detecting C2 Infrastructure Usage
Purpose: Identify connections to known Command and Control infrastructure.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DNS-Client/Operational'; ID=101} | Where-Object {($_.Message -match 'SuspiciousDomain1.com') -or ($_.Message -match 'SuspiciousDomain2.com')}Additional Discovery Techniques
1. Remote Desktop Protocol (RDP) Usage
1.1. Detecting Unauthorized RDP Sessions
Purpose: Identify unauthorized RDP sessions, which may indicate lateral movement.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Properties[10].Value -eq '10'} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}}1.2. Monitoring Multiple RDP Connections from Single Account
Purpose: Detect multiple RDP connections from a single account, indicating potential misuse.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Properties[10].Value -eq '10'} | Group-Object -Property {$_.Properties[5].Value} | Where-Object {$_.Count -gt 5} | Select-Object Name, Count2. Remote Services and Command Execution
2.1. Detecting PsExec Usage
Purpose: Identify the use of PsExec for remote command execution.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[5].Value -match 'psexec'} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}2.2. Monitoring Remote PowerShell Sessions
Purpose: Detect unauthorized remote PowerShell sessions.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4103} | Where-Object {$_.Message -match "New-PSSession"} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Message}}3. Windows Management Instrumentation (WMI)
3.1. Detecting WMI Command Execution
Purpose: Monitor for commands executed via WMI, often used for lateral movement.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-WMI-Activity/Operational'; ID=5857} | Where-Object {$_.Message -match 'CommandLineEventConsumer'} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Message}}3.2. Monitoring WMI Event Subscription Persistence
Purpose: Identify persistent WMI event subscriptions, which can be used for lateral movement.
Get-WmiObject -Namespace "root\subscription" -Class __EventFilter | Select-Object Name, Query4. Service and Scheduled Task Creation
4.1. Detecting Creation of New Services
Purpose: Identify the creation of new services, which can be used for lateral movement.
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}, @{n='ServiceFile';e={$_.Properties[5].Value}}4.2. Monitoring Scheduled Task Creation
Purpose: Detect the creation of scheduled tasks that may be used for executing commands.
Get-ScheduledTask | Where-Object {$_.Principal.UserId -like "*"} | Select-Object TaskName, Principal, @{n='Actions';e={$_.Actions}}5. File and Directory Discovery
5.1. Monitoring Access to Shared Folders
Purpose: Detect unauthorized access to shared folders, which may indicate lateral movement.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {$_.Properties[6].Value -match '\\\\.*\\Share\\'} | Select-Object TimeCreated, @{n='ObjectName';e={$_.Properties[6].Value}}5.2. Detecting Access to Administrative Shares
Purpose: Identify attempts to access administrative shares, often used for lateral movement.
`Get-WmiObject -Query "SELECT * FROM Win32_Share WHERE Type=0" | Where-Object {($_.Name -match 'C$|ADMIN$')} | Select-Object Name, Path`6. Account and Credential Manipulation
6.1. Monitoring for Privilege Escalation Attempts
Purpose: Detect actions that indicate attempts to escalate privileges.
`Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4672} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}, @{n='Privileges';e={$_.Properties[9].Value}}`6.2. Detecting Unauthorized User Account Creation
Purpose: Identify the creation of unauthorized user accounts.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4720} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[0].Value}}, @{n='CreatedBy';e={$_.Properties[1].Value}}7. Pass-the-Hash and Pass-the-Ticket Attacks
7.1. Detecting NTLM Authentication Attempts
Purpose: Monitor for NTLM authentication attempts, which may indicate pass-the-hash attacks.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {$_.Properties[8].Value -eq 'NTLM'} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}, @{n='SourceIP';e={$_.Properties[18].Value}}7.2. Monitoring Kerberos Ticket Requests
Purpose: Identify unusual Kerberos ticket requests, which may indicate pass-the-ticket attacks.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | Where-Object {$_.Properties[8].Value -eq "0x1"} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[5].Value}}8. File Transfer and Data Staging
8.1. Detecting File Transfers via SMB
Purpose: Identify file transfers over SMB, which may indicate lateral movement.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5145} | Where-Object {$_.Properties[8].Value -match 'File Read|File Write'} | Select-Object TimeCreated, @{n='ObjectName';e={$_.Properties[6].Value}}8.2. Monitoring Use of RDP Clipboard for File Transfer
Purpose: Detect the use of RDP clipboard for transferring files.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; ID=150} | Where-Object {$_.Message -match "Clipboard"} | Select-Object TimeCreated, @{n='Details';e={$_.Message}}9. Network and Protocol Analysis
9.1. Detecting Anomalous Network Traffic
Purpose: Identify unusual network traffic patterns that may indicate lateral movement.
Get-NetTCPConnection | Where-Object {($_.State -eq 'Established') -and ($_.RemoteAddress -notin 'KnownGoodIPs')} | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort9.2. Monitoring for Use of Lateral Movement Tools
Purpose: Detect the use of tools like SMBexec, CrackMapExec, or other lateral movement tools.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Properties[9].Value -match 'smbexec|crackmapexec'} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}10. Anomalous Behaviour and Activity Monitoring
10.1. Detecting Anomalous Login Times
Purpose: Identify logins occurring at unusual times, indicating potential lateral movement.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Where-Object {($_.TimeCreated.Hour -lt 6) -or ($_.TimeCreated.Hour -gt 20)} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}10.2. Monitoring for Unusual Access Patterns
Purpose: Detect unusual patterns of access to sensitive systems or data.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Where-Object {($_.Properties[6].Value -match 'SensitiveData') -and ($_.Properties[18].Value -notin 'KnownIPs')} | Select-Object TimeCreated, @{n='ObjectName';e={$_.Properties[6].Value}}Last updated