OpenSkillIndex← back to search
claude-code

Anthropic-Cybersecurity-Skills performing-lateral-movement-detection

'Detects lateral movement techniques including Pass-the-Hash, PsExec, WMI execution, RDP pivoting, and SMB-based

install
source · Clone the upstream repo
git clone https://github.com/mukul975/Anthropic-Cybersecurity-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/mukul975/Anthropic-Cybersecurity-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/performing-lateral-movement-detection" ~/.claude/skills/mukul975-anthropic-cybersecurity-skills-performing-lateral-movement-detection && rm -rf "$T"
manifest: skills/performing-lateral-movement-detection/SKILL.md
source content

Performing Lateral Movement Detection

When to Use

Use this skill when:

  • SOC teams need to detect attackers pivoting between systems after initial compromise
  • Incident investigations require tracking an attacker's movement path through the network
  • Detection engineering needs lateral movement rules mapped to ATT&CK TA0008 techniques
  • Red/purple team exercises identify lateral movement detection gaps

Do not use for detecting initial access or external attacks — lateral movement detection focuses on internal host-to-host pivot activity.

Prerequisites

  • Windows Security Event Logs (EventCode 4624, 4625, 4648, 4672) from all endpoints and servers
  • Sysmon deployed with process creation (EventCode 1), network connections (EventCode 3), and named pipe (EventCode 17/18)
  • Network flow data (NetFlow/sFlow, Zeek connection logs) for internal traffic analysis
  • SIEM with cross-source correlation capability
  • Baseline of normal internal authentication patterns

Workflow

Step 1: Detect Pass-the-Hash / Pass-the-Ticket (T1550)

Pass-the-Hash Detection (EventCode 4624 with NTLM):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3
AuthenticationPackageName="NTLM"
| where TargetUserName!="ANONYMOUS LOGON" AND TargetUserName!="$"
| stats count, dc(ComputerName) AS unique_targets, values(ComputerName) AS targets
  by src_ip, TargetUserName
| where unique_targets > 3
| eval alert = "Possible Pass-the-Hash: NTLM network logon to ".unique_targets." hosts"
| sort - unique_targets
| table src_ip, TargetUserName, unique_targets, count, targets, alert

Overpass-the-Hash Detection (Kerberos with RC4):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
TicketEncryptionType="0x17"
| where ServiceName!="krbtgt" AND ServiceName!="$"
| stats count, dc(ServiceName) AS unique_services by src_ip, TargetUserName
| where count > 5
| eval alert = "Possible Overpass-the-Hash: RC4 Kerberos tickets from ".src_ip
| table _time, src_ip, TargetUserName, unique_services, count, alert

Golden/Silver Ticket Detection (T1558):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
| where TicketOptions="0x40810000" OR TicketOptions="0x40800000"
| eval ticket_lifetime = TicketExpireTime - TicketIssueTime
| where ticket_lifetime > 36000  --- >10 hours (abnormal)
| stats count by src_ip, TargetUserName, ServiceName, TicketEncryptionType, TicketOptions
| eval alert = "Possible Golden/Silver Ticket: Abnormal ticket properties"

Step 2: Detect Remote Service Exploitation (T1021)

PsExec Detection (T1021.002):

--- Via Sysmon process creation
index=sysmon EventCode=1
(Image="*\\psexec.exe" OR Image="*\\psexesvc.exe"
 OR OriginalFileName="psexec.c" OR OriginalFileName="psexesvc.exe"
 OR ParentImage="*\\psexesvc.exe")
| table _time, Computer, User, ParentImage, Image, CommandLine, Hashes

--- Via named pipe creation (Sysmon EventCode 17)
index=sysmon EventCode=17
PipeName IN ("\\PSEXESVC*", "\\RemCom*", "\\csexec*")
| table _time, Computer, User, Image, PipeName

--- Via Windows service creation (EventCode 7045)
index=wineventlog sourcetype="WinEventLog:System" EventCode=7045
ServiceName="PSEXESVC" OR ServiceFileName="*PSEXESVC*"
| table _time, Computer, ServiceName, ServiceFileName, AccountName

WMI Remote Execution (T1047):

index=sysmon EventCode=1
(Image="*\\wmic.exe" AND CommandLine="*/node:*")
OR (ParentImage="*\\WmiPrvSE.exe" AND Image IN ("*\\cmd.exe", "*\\powershell.exe"))
| eval execution_type = case(
    match(Image, "wmic"), "WMI Command Line",
    match(ParentImage, "WmiPrvSE"), "WMI Provider Host (remote execution)"
  )
| table _time, Computer, User, execution_type, ParentImage, Image, CommandLine

WinRM/PowerShell Remoting (T1021.006):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
Logon_Type=3 AuthenticationPackageName="Kerberos"
| where ProcessName="*\\wsmprovhost.exe" OR ProcessName="*\\powershell.exe"
| stats count, dc(ComputerName) AS unique_targets by src_ip, TargetUserName
| where unique_targets > 2
| eval alert = "PowerShell Remoting to ".unique_targets." hosts from ".src_ip

--- Sysmon variant
index=sysmon EventCode=1
ParentImage="*\\wsmprovhost.exe"
Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\csc.exe")
| table _time, Computer, User, Image, CommandLine

RDP Lateral Movement (T1021.001):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
| stats count, dc(ComputerName) AS rdp_targets, values(ComputerName) AS destinations,
        earliest(_time) AS first_rdp, latest(_time) AS last_rdp
  by src_ip, TargetUserName
| where rdp_targets > 2
| eval duration_hours = round((last_rdp - first_rdp) / 3600, 1)
| eval alert = TargetUserName." RDP'd to ".rdp_targets." hosts in ".duration_hours." hours"
| sort - rdp_targets

Step 3: Detect SMB-Based Lateral Movement

Anomalous SMB Traffic Patterns:

index=firewall OR index=zeek sourcetype IN ("pan:traffic", "bro:conn:json")
dest_port=445 action=allowed
| where src_ip!=dest_ip
| stats count AS smb_sessions, dc(dest_ip) AS unique_targets,
        sum(bytes_out) AS total_bytes
  by src_ip
| where unique_targets > 10
| eval alert = case(
    unique_targets > 50, "CRITICAL: Mass SMB enumeration from ".src_ip,
    unique_targets > 20, "HIGH: Significant SMB lateral movement",
    unique_targets > 10, "MEDIUM: Elevated SMB connections"
  )
| sort - unique_targets

Admin Share Access (C$, ADMIN$):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=5140
ShareName IN ("\\\\*\\C$", "\\\\*\\ADMIN$", "\\\\*\\IPC$")
| where SubjectUserName!="SYSTEM" AND SubjectUserName!="$"
| stats count, dc(ComputerName) AS unique_hosts by SubjectUserName, ShareName, src_ip
| where unique_hosts > 3
| eval alert = "Admin share access to ".unique_hosts." hosts by ".SubjectUserName
| sort - unique_hosts

Step 4: Build Lateral Movement Graph

Visualize the attack path:

--- Build source->destination graph for authentication events
index=wineventlog EventCode=4624 Logon_Type IN (3, 10)
earliest=-24h
| stats count AS connections, latest(_time) AS last_connection
  by src_ip, ComputerName, TargetUserName, Logon_Type
| eval edge = src_ip." -> ".ComputerName." (User: ".TargetUserName.", Type: ".Logon_Type.")"
| sort - connections
| table edge, connections, last_connection

--- Network flow correlation
index=netflow earliest=-24h
dest_port IN (445, 135, 3389, 5985, 5986)
| stats sum(bytes) AS total_bytes, count AS flow_count,
        dc(dest_ip) AS targets by src_ip, dest_port
| where targets > 5
| eval service = case(
    dest_port=445, "SMB",
    dest_port=135, "RPC/WMI",
    dest_port=3389, "RDP",
    dest_port IN (5985, 5986), "WinRM"
  )
| sort - targets
| table src_ip, service, targets, flow_count, total_bytes

Step 5: Detect DCOM and Scheduled Task-Based Movement

DCOM Lateral Execution (T1021.003):

index=sysmon EventCode=1
ParentImage IN ("*\\mmc.exe", "*\\excel.exe", "*\\outlook.exe")
Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\mshta.exe")
| where ParentCommandLine="*-Embedding*"
| eval alert = "DCOM-based lateral movement: ".ParentImage." spawned ".Image
| table _time, Computer, User, ParentImage, Image, CommandLine, alert

Remote Scheduled Task Creation (T1053.005):

index=wineventlog EventCode=4698
| where SubjectUserName!="SYSTEM"
| eval task_xml = TaskContent
| search task_xml="*http*" OR task_xml="*powershell*" OR task_xml="*cmd*" OR task_xml="*\\Temp\\*"
| table _time, Computer, SubjectUserName, TaskName, task_xml

Step 6: Correlate Movement with Kill Chain Phases

Build end-to-end attack chain detection:

--- Detect complete lateral movement sequence
index=wineventlog OR index=sysmon
(EventCode=4625 OR EventCode=4624 OR EventCode=1 OR EventCode=4698 OR EventCode=5140)
| eval phase = case(
    EventCode=4625, "1-Recon/BruteForce",
    EventCode=4624 AND Logon_Type=3, "2-Lateral Movement",
    EventCode=5140 AND match(ShareName, "C\$|ADMIN\$"), "3-Admin Share Access",
    EventCode=1 AND match(ParentImage, "psexesvc|WmiPrvSE|wsmprovhost"), "4-Remote Execution",
    EventCode=4698, "5-Persistence (Scheduled Task)",
    1=1, "other"
  )
| where phase!="other"
| stats count by phase, src_ip, ComputerName, TargetUserName
| sort phase, _time
| table phase, src_ip, ComputerName, TargetUserName, count

Key Concepts

TermDefinition
Lateral MovementPost-compromise technique where attackers pivot between systems to reach targets
Pass-the-HashUsing stolen NTLM hash for authentication without knowing the plaintext password
Pass-the-TicketUsing stolen Kerberos TGT/TGS tickets for authentication across the domain
PsExecSysinternals tool (and attack technique) for remote process execution via SMB and named pipes
WMI ExecutionUsing Windows Management Instrumentation for remote command execution via DCOM or WinRM
Admin ShareDefault Windows administrative shares (C$, ADMIN$, IPC$) used for remote system management

Tools & Systems

  • Splunk Enterprise Security: SIEM platform for correlating Windows events, Sysmon, and network flows
  • Microsoft Defender for Identity: Cloud service detecting lateral movement via domain controller monitoring
  • BloodHound: Active Directory attack path analysis tool for identifying lateral movement opportunities
  • CrowdStrike Falcon: EDR platform with lateral movement detection and automated containment
  • Zeek (Bro): Network monitor generating connection logs for SMB, RDP, and WinRM traffic analysis

Common Scenarios

  • PsExec Spread: Attacker uses PsExec to execute malware across 20 workstations — detect via service creation events
  • RDP Pivoting: Compromised VPN account used to RDP through multiple internal hosts — detect via Logon_Type 10 chains
  • WMI Recon and Execution: Attacker uses WMI for discovery then execution — detect via WmiPrvSE child processes
  • Pass-the-Hash Campaign: Stolen local admin hash used across subnet — detect via NTLM Logon_Type 3 to multiple hosts
  • Scheduled Task Persistence: Remote scheduled task created on domain controller — detect via EventCode 4698 from non-admin source

Output Format

LATERAL MOVEMENT DETECTION REPORT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Period:       2024-03-15 14:00 to 18:00 UTC
Source:       192.168.1.105 (WORKSTATION-042)

Movement Path:
  14:23  192.168.1.105 → 10.0.5.20  (DC-PRIMARY) — PtH via NTLM Type 3
  14:25  10.0.5.20 → 10.0.5.21     (DC-BACKUP)  — Kerberos ticket reuse
  14:28  10.0.5.20 → 10.0.10.15    (FILESERVER-01) — PsExec service creation
  14:32  10.0.10.15 → 10.0.10.20   (DB-PRIMARY) — WMI remote execution
  14:35  10.0.10.20 → 10.0.10.25   (DB-BACKUP)  — SMB admin share access

Techniques Detected:
  T1550.002 — Pass-the-Hash (NTLM authentication to DC)
  T1021.002 — PsExec (remote service installation)
  T1047     — WMI Execution (WmiPrvSE child process)
  T1021.002 — SMB Admin Share (C$ access on DB-BACKUP)

Affected Systems: 5 hosts across 2 network segments
User Account:     admin_compromised (Domain Admin)
Containment:      All 5 hosts isolated at 14:45 UTC