detecting-lateral-movement-with-splunk

Featured

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Lateral Movement with Splunk ## When to Use - When hunting for adversary movement between compromised systems - After detecting credential theft to trace subsequent lateral activity - When investigating unusual authentication patterns across the network - During incident response to scope the breadth of compromise - When proactively hunting for TA0008 (Lateral Movement) techniques ## Prerequisites - Splunk Enterprise or Splunk Cloud with Windows event data ingested - Windows Security Event Logs forwarded (4624, 4625, 4648, 4672, 4768, 4769) - Sysmon deployed for process creation and network connection data - Network flow data or firewall logs for SMB/RDP/WinRM correlation - Active Directory user and group membership reference data ## Workflow 1. **Define Lateral Movement Scope**: Identify which lateral movement techniques to hunt (RDP, SMB/Admin Shares, WinRM, PsExec, WMI, DCOM, SSH). 2. **Query Authentication Events**: Use SPL to search for Type 3 (Network) and Type 10 (RemoteInteractive) logons across the environment. 3. **Build Authentication Graphs**: Map source-to-destination authentication relationships to identify unusual connection patterns. 4. **Detect First-Time Relationships**: Identify new source-destination pairs that have not been seen in the historical baseline. 5. **Correlate with Process Activity**: Link authentication events to subsequent process creation on destination hosts. 6. **Identify Anomalous Patterns**: Flag lateral movement to sen...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-lateral-movement-in-network

Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows, SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems.

12,642 Updated today
mukul975
AI & Automation Featured

performing-lateral-movement-detection

Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-azure-lateral-movement

Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.

12,642 Updated today
mukul975
AI & Automation Solid

hunting-for-lateral-movement-via-wmi

Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence.

12,642 Updated today
mukul975
AI & Automation Featured

hunting-for-dcom-lateral-movement

Hunt for DCOM-based lateral movement by detecting abuse of MMC20.Application, ShellBrowserWindow, and ShellWindows COM objects through Sysmon Event ID 1 (process creation) and Event ID 3 (network connection) correlation, WMI event analysis, RPC endpoint mapper traffic on port 135, and DCOM-specific parent-child process relationships.

12,642 Updated today
mukul975