Discover and read the best of Twitter Threads about #lateralmovement

Most recents (1)

Here is how to hunt/detect 60% (possibly more than 60%) of lateral movement attacks:
On ALL endpoints, look for EID 4624 with LogonType 9 (NewCredentials), and check TargetOutboundUserName field. 1/4
#threathunting #dfir #lateralmovement
Then, check if the TargetOutboundUserName is supposed to be seen on the endpoint. Here is why:
Attackers most likely spawn a new process on the compromised machine with the credentials/tokens they steal. This is done by using "/NETONLY" flag. 2/4
"/NETONLY" flag generates a new logon on the endpoint with the EID 4624 LogonType 9.
LogonType 9 is quite rare in an environment, usually <1% of all logon events. Therefore, it is quite easy to hunt for this event. 3/4
Read 4 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!