0xAnalyst · November 15, 2020 06:44
diff --git a/Windows Lateral Movement Hunting b/Windows Lateral Movement Hunting
 By Protocols / Services
 1- Server Message Block ( SMB )
 2- Service Control Manager (SCM)
 2- Task Scheduler
 3- Windows Management Instrumentation ( WMI )
    3-1 WMI Activity Event log
          Event ID 2 - win32_process::Create
          
 4- Windows Remote Management ( WinRM )
   winrshost.exe as parent - 4688
   
 5- Distributed Component Object Model ( DCOM )
        5.1 MMC as a parent
        5.2 process has /automation -Embedding in it is commandline "Sysmon/EDR"
 6- Remote Desktop

 Authentication Protocols
 1- Kerberos
    1-1 Event=4769 And Service Name=*$ group by (Client Address ) where unique(Service Name) > [Threshold ]
        Reason
            An adversary moving laterally ( or helpdesk deploying software)
            Host enumeration ( file share, PowerUp Sql, etc )
            Bloodhound
 2- NTLM
     Event=4776 And (ComputerName=Dc1 Or …) group by (Source Workstation) Where unique(Computer Name) > [Threshold ]
     An adversary moving laterally using NTLM based hacking tools like: metasploit, impacket, crackmapexec, smbexec, etc

 References 
 https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536265369.pdf


 By Technique
 Lateral Movement

    Application Deployment Software
    Component Object Model and Distributed COM - T1175
       Definition 
       The Distributed Component Object Model (DCOM) Remote Protocol is a protocol for exposing application objects by way of remote procedure calls (RPCs). The protocol consists of a set of extensions layered on Microsoft Remote Procedure Call Protocol Extensions as specified in [MS-RPCE].
       Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM.
       
       Detection
                select sourceport, destinationport from events where eventid=5158 and UTF8(payload) IMATCHES '(?i)(.*explorer\.exe.*)' last 30 DAYS
                MMC as a parent
                process has /automation -Embedding in it is commandline "Sysmon/EDR"
                https://hackdefense.com/assets/downloads/automating-the-enumeration-of-possible-dcom-vulnerabilities-axel-boesenach-v1.0.pdf
                https://ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model
            
    Exploitation of Remote Services
    Internal Spearphishing
    Logon Scripts
    Pass the Hash
    Pass the Ticket
    Remote Desktop Protocol
    Remote File Copy
    Remote Services
    Replication Through Removable Media
    Shared Webroot
    SSH Hijacking
    Taint Shared Content
    Third-party Software
    Windows Admin Shares
    Windows Remote Management
	By Protocols / Services
	1- Server Message Block ( SMB )
	2- Service Control Manager (SCM)
	2- Task Scheduler
	3- Windows Management Instrumentation ( WMI )
	3-1 WMI Activity Event log
	Event ID 2 - win32_process::Create

	4- Windows Remote Management ( WinRM )
	winrshost.exe as parent - 4688

	5- Distributed Component Object Model ( DCOM )
	5.1 MMC as a parent
	5.2 process has /automation -Embedding in it is commandline "Sysmon/EDR"
	6- Remote Desktop

	Authentication Protocols
	1- Kerberos
	1-1 Event=4769 And Service Name=*$ group by (Client Address ) where unique(Service Name) > [Threshold ]
	Reason
	An adversary moving laterally ( or helpdesk deploying software)
	Host enumeration ( file share, PowerUp Sql, etc )
	Bloodhound
	2- NTLM
	Event=4776 And (ComputerName=Dc1 Or …) group by (Source Workstation) Where unique(Computer Name) > [Threshold ]
	An adversary moving laterally using NTLM based hacking tools like: metasploit, impacket, crackmapexec, smbexec, etc

	References
	https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536265369.pdf


	By Technique
	Lateral Movement

	Application Deployment Software
	Component Object Model and Distributed COM - T1175
	Definition
	The Distributed Component Object Model (DCOM) Remote Protocol is a protocol for exposing application objects by way of remote procedure calls (RPCs). The protocol consists of a set of extensions layered on Microsoft Remote Procedure Call Protocol Extensions as specified in [MS-RPCE].
	Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM.

	Detection
	select sourceport, destinationport from events where eventid=5158 and UTF8(payload) IMATCHES '(?i)(.explorer\.exe.)' last 30 DAYS
	MMC as a parent
	process has /automation -Embedding in it is commandline "Sysmon/EDR"
	https://hackdefense.com/assets/downloads/automating-the-enumeration-of-possible-dcom-vulnerabilities-axel-boesenach-v1.0.pdf
	https://ired.team/offensive-security/lateral-movement/t1175-distributed-component-object-model

	Exploitation of Remote Services
	Internal Spearphishing
	Logon Scripts
	Pass the Hash
	Pass the Ticket
	Remote Desktop Protocol
	Remote File Copy
	Remote Services
	Replication Through Removable Media
	Shared Webroot
	SSH Hijacking
	Taint Shared Content
	Third-party Software
	Windows Admin Shares
	Windows Remote Management