Tweet

Mehmet Ergene

13 Jun, 4 tweets, 2 min read

Here is how to hunt/detect 60% (possibly more than 60%) of lateral movement attacks:
On ALL endpoints, look for EID 4624 with LogonType 9 (NewCredentials), and check TargetOutboundUserName field. 1/4
#threathunting #dfir #lateralmovement

Then, check if the TargetOutboundUserName is supposed to be seen on the endpoint. Here is why:
Attackers most likely spawn a new process on the compromised machine with the credentials/tokens they steal. This is done by using "/NETONLY" flag. 2/4

"/NETONLY" flag generates a new logon on the endpoint with the EID 4624 LogonType 9.
LogonType 9 is quite rare in an environment, usually <1% of all logon events. Therefore, it is quite easy to hunt for this event. 3/4

I'll write a separate blog from a hunting perspective, but you can read a more detailed and awesome post here 👇
elastic.co/blog/how-attac…

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Share this page!

Mehmet Ergene

Try unrolling a thread yourself!

Did Thread Reader help you today?

Like this author's thread?