Purpose
Detect lateral movement in a Windows environment
Data Required
Windows event logs (ID 4648 or 552)
Collection Considerations
Check your domain audit policy to ensure that these events are being generated. Also, they are typically generated only on the host on which the authentication occurs, so you need to collect from both servers and user endpoints for full visibility.
Analysis Techniques
whitelisting / filtering
Description
Examine event logs for instances of explicit credentials being used (as with the batch processes being spawned, users using the Runas command or via pass-the-hash attacks). Whitelist recurring instances that are known to be authorized, and keep that whitelist up to date over time. Investigate any instances of explicit credential authentication that may be left.
Other Notes
More Info
Seek Evil, and Ye Shall Find: A Guide to Cyber Threat Hunting Operations, Tim Bandos, Digital Guardian