From cybersecurity-skills
Detects lateral movement techniques like Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB spreading using SIEM queries on Windows event logs, Sysmon, and network flows, mapped to MITRE ATT&CK TA0008.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
Use this skill when:
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Use this skill when:
Do not use for detecting initial access or external attacks — lateral movement detection focuses on internal host-to-host pivot activity.
Pass-the-Hash Detection (EventCode 4624 with NTLM):
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3
AuthenticationPackageName="NTLM"
| where TargetUserName!="ANONYMOUS LOGON" AND TargetUserName!="$"
| stats count, dc(ComputerName) AS unique_targets, values(ComputerName) AS targets
by src_ip, TargetUserName
| where unique_targets > 3
| eval alert = "Possible Pass-the-Hash: NTLM network logon to ".unique_targets." hosts"
| sort - unique_targets
| table src_ip, TargetUserName, unique_targets, count, targets, alert
Overpass-the-Hash Detection (Kerberos with RC4):
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
TicketEncryptionType="0x17"
| where ServiceName!="krbtgt" AND ServiceName!="$"
| stats count, dc(ServiceName) AS unique_services by src_ip, TargetUserName
| where count > 5
| eval alert = "Possible Overpass-the-Hash: RC4 Kerberos tickets from ".src_ip
| table _time, src_ip, TargetUserName, unique_services, count, alert
Golden/Silver Ticket Detection (T1558):
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
| where TicketOptions="0x40810000" OR TicketOptions="0x40800000"
| eval ticket_lifetime = TicketExpireTime - TicketIssueTime
| where ticket_lifetime > 36000 --- >10 hours (abnormal)
| stats count by src_ip, TargetUserName, ServiceName, TicketEncryptionType, TicketOptions
| eval alert = "Possible Golden/Silver Ticket: Abnormal ticket properties"
PsExec Detection (T1021.002):
--- Via Sysmon process creation
index=sysmon EventCode=1
(Image="*\\psexec.exe" OR Image="*\\psexesvc.exe"
OR OriginalFileName="psexec.c" OR OriginalFileName="psexesvc.exe"
OR ParentImage="*\\psexesvc.exe")
| table _time, Computer, User, ParentImage, Image, CommandLine, Hashes
--- Via named pipe creation (Sysmon EventCode 17)
index=sysmon EventCode=17
PipeName IN ("\\PSEXESVC*", "\\RemCom*", "\\csexec*")
| table _time, Computer, User, Image, PipeName
--- Via Windows service creation (EventCode 7045)
index=wineventlog sourcetype="WinEventLog:System" EventCode=7045
ServiceName="PSEXESVC" OR ServiceFileName="*PSEXESVC*"
| table _time, Computer, ServiceName, ServiceFileName, AccountName
WMI Remote Execution (T1047):
index=sysmon EventCode=1
(Image="*\\wmic.exe" AND CommandLine="*/node:*")
OR (ParentImage="*\\WmiPrvSE.exe" AND Image IN ("*\\cmd.exe", "*\\powershell.exe"))
| eval execution_type = case(
match(Image, "wmic"), "WMI Command Line",
match(ParentImage, "WmiPrvSE"), "WMI Provider Host (remote execution)"
)
| table _time, Computer, User, execution_type, ParentImage, Image, CommandLine
WinRM/PowerShell Remoting (T1021.006):
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
Logon_Type=3 AuthenticationPackageName="Kerberos"
| where ProcessName="*\\wsmprovhost.exe" OR ProcessName="*\\powershell.exe"
| stats count, dc(ComputerName) AS unique_targets by src_ip, TargetUserName
| where unique_targets > 2
| eval alert = "PowerShell Remoting to ".unique_targets." hosts from ".src_ip
--- Sysmon variant
index=sysmon EventCode=1
ParentImage="*\\wsmprovhost.exe"
Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\csc.exe")
| table _time, Computer, User, Image, CommandLine
RDP Lateral Movement (T1021.001):
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
| stats count, dc(ComputerName) AS rdp_targets, values(ComputerName) AS destinations,
earliest(_time) AS first_rdp, latest(_time) AS last_rdp
by src_ip, TargetUserName
| where rdp_targets > 2
| eval duration_hours = round((last_rdp - first_rdp) / 3600, 1)
| eval alert = TargetUserName." RDP'd to ".rdp_targets." hosts in ".duration_hours." hours"
| sort - rdp_targets
Anomalous SMB Traffic Patterns:
index=firewall OR index=zeek sourcetype IN ("pan:traffic", "bro:conn:json")
dest_port=445 action=allowed
| where src_ip!=dest_ip
| stats count AS smb_sessions, dc(dest_ip) AS unique_targets,
sum(bytes_out) AS total_bytes
by src_ip
| where unique_targets > 10
| eval alert = case(
unique_targets > 50, "CRITICAL: Mass SMB enumeration from ".src_ip,
unique_targets > 20, "HIGH: Significant SMB lateral movement",
unique_targets > 10, "MEDIUM: Elevated SMB connections"
)
| sort - unique_targets
Admin Share Access (C$, ADMIN$):
index=wineventlog sourcetype="WinEventLog:Security" EventCode=5140
ShareName IN ("\\\\*\\C$", "\\\\*\\ADMIN$", "\\\\*\\IPC$")
| where SubjectUserName!="SYSTEM" AND SubjectUserName!="$"
| stats count, dc(ComputerName) AS unique_hosts by SubjectUserName, ShareName, src_ip
| where unique_hosts > 3
| eval alert = "Admin share access to ".unique_hosts." hosts by ".SubjectUserName
| sort - unique_hosts
Visualize the attack path:
--- Build source->destination graph for authentication events
index=wineventlog EventCode=4624 Logon_Type IN (3, 10)
earliest=-24h
| stats count AS connections, latest(_time) AS last_connection
by src_ip, ComputerName, TargetUserName, Logon_Type
| eval edge = src_ip." -> ".ComputerName." (User: ".TargetUserName.", Type: ".Logon_Type.")"
| sort - connections
| table edge, connections, last_connection
--- Network flow correlation
index=netflow earliest=-24h
dest_port IN (445, 135, 3389, 5985, 5986)
| stats sum(bytes) AS total_bytes, count AS flow_count,
dc(dest_ip) AS targets by src_ip, dest_port
| where targets > 5
| eval service = case(
dest_port=445, "SMB",
dest_port=135, "RPC/WMI",
dest_port=3389, "RDP",
dest_port IN (5985, 5986), "WinRM"
)
| sort - targets
| table src_ip, service, targets, flow_count, total_bytes
DCOM Lateral Execution (T1021.003):
index=sysmon EventCode=1
ParentImage IN ("*\\mmc.exe", "*\\excel.exe", "*\\outlook.exe")
Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\mshta.exe")
| where ParentCommandLine="*-Embedding*"
| eval alert = "DCOM-based lateral movement: ".ParentImage." spawned ".Image
| table _time, Computer, User, ParentImage, Image, CommandLine, alert
Remote Scheduled Task Creation (T1053.005):
index=wineventlog EventCode=4698
| where SubjectUserName!="SYSTEM"
| eval task_xml = TaskContent
| search task_xml="*http*" OR task_xml="*powershell*" OR task_xml="*cmd*" OR task_xml="*\\Temp\\*"
| table _time, Computer, SubjectUserName, TaskName, task_xml
Build end-to-end attack chain detection:
--- Detect complete lateral movement sequence
index=wineventlog OR index=sysmon
(EventCode=4625 OR EventCode=4624 OR EventCode=1 OR EventCode=4698 OR EventCode=5140)
| eval phase = case(
EventCode=4625, "1-Recon/BruteForce",
EventCode=4624 AND Logon_Type=3, "2-Lateral Movement",
EventCode=5140 AND match(ShareName, "C\$|ADMIN\$"), "3-Admin Share Access",
EventCode=1 AND match(ParentImage, "psexesvc|WmiPrvSE|wsmprovhost"), "4-Remote Execution",
EventCode=4698, "5-Persistence (Scheduled Task)",
1=1, "other"
)
| where phase!="other"
| stats count by phase, src_ip, ComputerName, TargetUserName
| sort phase, _time
| table phase, src_ip, ComputerName, TargetUserName, count
| Term | Definition |
|---|---|
| Lateral Movement | Post-compromise technique where attackers pivot between systems to reach targets |
| Pass-the-Hash | Using stolen NTLM hash for authentication without knowing the plaintext password |
| Pass-the-Ticket | Using stolen Kerberos TGT/TGS tickets for authentication across the domain |
| PsExec | Sysinternals tool (and attack technique) for remote process execution via SMB and named pipes |
| WMI Execution | Using Windows Management Instrumentation for remote command execution via DCOM or WinRM |
| Admin Share | Default Windows administrative shares (C$, ADMIN$, IPC$) used for remote system management |
LATERAL MOVEMENT DETECTION REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Period: 2024-03-15 14:00 to 18:00 UTC
Source: 192.168.1.105 (WORKSTATION-042)
Movement Path:
14:23 192.168.1.105 → 10.0.5.20 (DC-PRIMARY) — PtH via NTLM Type 3
14:25 10.0.5.20 → 10.0.5.21 (DC-BACKUP) — Kerberos ticket reuse
14:28 10.0.5.20 → 10.0.10.15 (FILESERVER-01) — PsExec service creation
14:32 10.0.10.15 → 10.0.10.20 (DB-PRIMARY) — WMI remote execution
14:35 10.0.10.20 → 10.0.10.25 (DB-BACKUP) — SMB admin share access
Techniques Detected:
T1550.002 — Pass-the-Hash (NTLM authentication to DC)
T1021.002 — PsExec (remote service installation)
T1047 — WMI Execution (WmiPrvSE child process)
T1021.002 — SMB Admin Share (C$ access on DB-BACKUP)
Affected Systems: 5 hosts across 2 network segments
User Account: admin_compromised (Domain Admin)
Containment: All 5 hosts isolated at 14:45 UTC