performing-lateral-movement-detection

Featured

Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based spreading using SIEM correlation of Windows event logs, network flow data, and endpoint telemetry mapped to MITRE ATT&CK Lateral Movement (TA0008) techniques.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Performing Lateral Movement Detection ## When to Use Use this skill when: - SOC teams need to detect attackers pivoting between systems after initial compromise - Incident investigations require tracking an attacker's movement path through the network - Detection engineering needs lateral movement rules mapped to ATT&CK TA0008 techniques - Red/purple team exercises identify lateral movement detection gaps **Do not use** for detecting initial access or external attacks — lateral movement detection focuses on internal host-to-host pivot activity. ## Prerequisites - Windows Security Event Logs (EventCode 4624, 4625, 4648, 4672) from all endpoints and servers - Sysmon deployed with process creation (EventCode 1), network connections (EventCode 3), and named pipe (EventCode 17/18) - Network flow data (NetFlow/sFlow, Zeek connection logs) for internal traffic analysis - SIEM with cross-source correlation capability - Baseline of normal internal authentication patterns ## Workflow ### Step 1: Detect Pass-the-Hash / Pass-the-Ticket (T1550) **Pass-the-Hash Detection (EventCode 4624 with NTLM):** ```spl index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3 AuthenticationPackageName="NTLM" | where TargetUserName!="ANONYMOUS LOGON" AND TargetUserName!="$" | stats count, dc(ComputerName) AS unique_targets, values(ComputerName) AS targets by src_ip, TargetUserName | where unique_targets > 3 | eval alert = "Possible Pass-the-Hash: NTLM network logon to ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-lateral-movement-in-network

Identifies lateral movement techniques in enterprise networks by analyzing authentication logs, network flows, SMB traffic, and RDP sessions using Zeek, Velociraptor, and SIEM correlation rules to detect attackers moving between systems.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-lateral-movement-with-splunk

Detect adversary lateral movement across networks using Splunk SPL queries against Windows authentication logs, SMB traffic, and remote service abuse.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-azure-lateral-movement

Detect lateral movement in Azure AD/Entra ID environments using Microsoft Graph API audit logs, Azure Sentinel KQL hunting queries, and sign-in anomaly correlation to identify privilege escalation, token theft, and cross-tenant pivoting.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-pass-the-hash-attacks

Detect Pass-the-Hash attacks by analyzing NTLM authentication patterns, identifying Type 3 logons with NTLM where Kerberos is expected, and correlating with credential dumping.

12,642 Updated today
mukul975
AI & Automation Solid

hunting-for-lateral-movement-via-wmi

Detect WMI-based lateral movement by analyzing Windows Event ID 4688 process creation and Sysmon Event ID 1 for WmiPrvSE.exe child process patterns, remote process execution, and WMI event subscription persistence.

12,642 Updated today
mukul975