detecting-lateral-movement-in-network

Featured

Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows, SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Lateral Movement in Network ## When to Use - Monitoring enterprise networks for post-compromise lateral movement patterns (pass-the-hash, RDP hopping, PSExec) - Building SIEM detection rules and alerts for common MITRE ATT&CK lateral movement techniques (T1021, T1570) - Investigating suspected breaches by analyzing authentication patterns and network connections between internal hosts - Hunting for anomalous east-west traffic patterns that indicate an attacker pivoting through the network - Validating that network segmentation and access controls effectively limit lateral movement paths **Do not use** as a substitute for endpoint detection and response (EDR) tools, for monitoring only north-south traffic while ignoring internal traffic flows, or without baseline knowledge of normal internal communication patterns. ## Prerequisites - Network security monitoring deployed at internal choke points (Zeek, Suricata, or network TAPs) - SIEM platform (Splunk, Elastic, Microsoft Sentinel) collecting Windows Security Event Logs, DNS, and flow data - Windows Event Log forwarding configured for Security events (4624, 4625, 4648, 4672, 4768, 4769) - Baseline of normal internal authentication and connection patterns - Understanding of MITRE ATT&CK Lateral Movement tactics (TA0008) ## Workflow ### Step 1: Configure Log Collection for Lateral Movement Detection ```bash # Windows Event Logs to collect (via WEF or agent): # Security Log: # 4624 - Successful logon (Type 3=...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-lateral-movement-with-splunk

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

12,642 Updated today
mukul975
AI & Automation Featured

performing-lateral-movement-detection

Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-lateral-movement-with-zeek

Detect lateral movement in network traffic using Zeek (formerly Bro) log analysis. Parses conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, kerberos.log, and ntlm.log to identify SMB file transfers, NTLM account spray activity, remote service execution, and anomalous internal connections.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-azure-lateral-movement

Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.

12,642 Updated today
mukul975
AI & Automation Solid

hunting-for-lateral-movement-via-wmi

Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence.

12,642 Updated today
mukul975