Create win_lateral_movement

EID 4674 with the proposed attributes is very rare in prod environment. https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm
2024-11-07 09:48:58 +00:00 · 2021-04-27 22:55:58 +10:00 · 2021-04-27 22:55:58 +10:00 · f75ad98903
commit f75ad98903
parent 9166167447
1 changed files with 25 additions and 0 deletions
--- a/rules/windows/other/win_lateral_movement
+++ b/rules/windows/other/win_lateral_movement
@ -0,0 +1,25 @@
+title: Lateral Movement Indicator
+id: 29d31aee-30f4-4006-85a9-a4a02d65306c
+status: stable
+description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context.
+author: Janantha Marasinghe
+date: 2021/04/27
+tags:
+    - attack.lateral_movement
+    - attack.execution
+    - attack.t1021  
+    - attack.t1059
+logsource:
+    product: windows
+    service: security
+    definition: 
+detection:
+    selection:
+          EventID: 4674
+          ObjectType: 'Security'
+          ObjectType: 'File'
+          ObjectName: '\Device\ConDrv'
+    condition: selection
+falsepositives:
+    - Penetration tests where lateral movement has occured. This event will be created on the target host.
+level: high