Skip to main content
Lantern Home
Splunk Lantern

Detecting lateral movement in a Windows environment

  1. Last updated
  2. Save as PDF

An advanced adversary trojanized a legitimate dynamically linked library (dll) in your organization's software and fed that into your customers’ update cycle. After it was infected, this trojanized backdoor allowed the adversary to move laterally in a victim’s network and steal their critical data. This attack was perpetrated by an advanced adversary who carefully selected targets, changed their attacking infrastructure to match geographical location, and even named attacking hosts to match their victims to disguise their traffic better. By using a trusted software partner, they spread laterally across on-prem and cloud infrastructures to capture and exfiltrate data. You need searches to help with incident response.

How to use Splunk software for this use case

You can use Splunk software to find hosts where the adversary was able to gain a foothold or search for indicators of compromise related to specific lateral movement attacks. 

To deploy this use case, you need Splunk Security Essentials (SSE), a free application with a security content library. The searches use macros that come packaged with the Splunk Security Essentials application. 

Results

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Using external resources to inform yourself about the attack and possible ways to mitigate it, such as hunting for named pipes.
  • Using domain lookup files for specific threats, such as Sunburst Backdoor, to find hosts that have communicated with indicators of compromise.
  • Importing intelligence files for specific threats, such as Sunburst Backdoor, into your Splunk Enterprise Security application to facilitate your searches.
  • Reviewing external to internal network traffic to determine if unknown IP addresses have accessed your systems

Measuring impact and benefit is critical to assessing the value of security operations. When implementing this use case, you might want to track how many of the following Active Directory objects and properties you identified that couldn't be associated with legitimate activity:

  • New service principals
  • New credentials
  • New permissions, role assignments, or tenant access
  • Custom domain changes

Additional resources 

These additional Splunk resources might help you understand and implement this use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.