Analyze AD Traffic with the Lateral Movement Analyzer Tool (Beta)

Tools

Description

The Lateral Movement Analyzer tool (beta) enables security teams to hunt for active lateral movement in their environments. The tool analyzes AD traffic offline and provides actionable output on the accounts suspected to have been compromised and the machines these accounts have accessed. Routine use of this tool can significantly assist in detecting lateral movement in its earliest stages and taking the actions required to remove malicious entities from the environment.

Details

The tool includes two modules: Collector, which gathers authentication logs from the environment, and Analyzer, which analyzes these logs to detect authentication anomalies associated with lateral movement patterns.

Collector

The Event Log Collector module gathers authentication logs in the following manner:

  • NTLM authentications: scanning Domain Controllers for Windows event 8004.
  • Kerberos authentication: scanning client machines for Windows event 4648.

Requirements:

  • Domain admin privileges.
  • LDAP/S and RPC access to the DC and client.
  • Windows machine with Python 3.8 or above.

Output: CSV file with the following fields: source host, destination, username, auth type, SPN and timestamps in the format %Y/%M/%D %H:%M

Analyzer

The Analyzer operates on the data the Collector provides, searching for lateral movement patterns based on the following methods:

  • Lateral Movement Analyzer (LATMA) algorithm: enhancement of the Hopper algorithm to detect anomalous user authentications.
  • Lateral movement IoCs: with the anomalous authentications LATMA provides, the analyzer searches for authentication sequences and patterns that indicate an active lateral movement is taking place.

Requirements:

  • The analyzer can be executed from both Windows and Linux machines.

Output:

  • Text file containing a list of compromised user accounts and machines, and line by line description of the suspected attack.
  • GIF file with full visualization of the suspected attack flow.

The beta version is available for download below.