The hypothesis is that the detection rule identifies potential lateral movement by monitoring unusual account access patterns, which could indicate an adversary moving through the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and respond to early-stage compromise attempts before they escalate.
YARA Rule
rule lateral_movement
{
meta:
date = "3/12/2014"
author = "https://github.com/reed1713"
description = "methodology sig looking for signs of lateral movement"
strings:
$type="Microsoft-Windows-Security-Auditing"
$eventid="4688"
$data="PsExec.exe"
$type1="Microsoft-Windows-Security-Auditing"
$eventid1="4688"
$data1="Windows\\System32\\net.exe"
$type2="Microsoft-Windows-Security-Auditing"
$eventid2="4688"
$data2="Windows\\System32\\at.exe"
condition:
($type and $eventid and $data) or ($type1 and $eventid1 and $data1) or ($type2 and $eventid2 and $data2)
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: A system administrator is using PsExec to remotely execute a script on a Windows server for routine maintenance.
Filter/Exclusion: Check for the presence of known admin tools in the command line or process tree (e.g., PsExec, Psexec.exe, WMIC), and exclude processes initiated by admin accounts with elevated privileges.
Scenario: A scheduled job (e.g., via Task Scheduler or cron on Linux) is configured to run a legitimate script that copies files between servers for backup purposes.
Filter/Exclusion: Exclude processes associated with scheduled tasks or known backup tools (e.g., vssadmin, rsync, tar, cp), and filter by user account or time of execution.
Scenario: A remote desktop session (e.g., via RDP or SSH) is used to move files between systems as part of a legitimate data transfer process.
Filter/Exclusion: Exclude processes initiated from known remote access tools (e.g., mstsc.exe, ssh, scp) and filter by user context or network source.
Scenario: A system update or patching tool (e.g., Windows Update, WSUS, or Ansible) is copying files across the network to deploy patches.
Filter/Exclusion: Exclude processes associated with known patching tools (e.g., wuauclt.exe, ansible, yum, apt) and filter by file names or network destinations.
Scenario: A log collection tool (e.g., Splunk, ELK Stack, or Fluentd) is transferring logs between servers for centralized monitoring.
Filter/Exclusion: Exclude processes associated with log aggregation tools (e.g., splunkforwarder, logstash,