<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

NEW! Open Ruleset for Detecting Lateral Movement in Windows Environments with Suricata

Today, we’re announcing a new open-source contribution from Stamus Networks - a Suricata ruleset specifically focused on detecting lateral movement in Microsoft Windows environments. Lateral movement is a technique that cyber attackers use to expand their network presence in search of sensitive data and high-value assets.

During the course of the year, the Stamus Networks team participates in a number of trainings, workshops, and some of the biggest NATO live-fire cyber exercises. And of course, we regularly work with our customers to identify threats, compromises and unauthorized activity on their networks.

We incorporate a lot of knowledge from the field directly into our products.

We want to share this knowledge with blue teams around the globe to help out in any way we can. As such we contribute many useful open-source tools, analytics dashboards and visualizations on our GitHub repository https://github.com/StamusNetworks .

We are proud to now offer an open and free lateral detection ruleset for the Suricata community  (specifically, those using version 6.0.6 and later).


What is the Ruleset and What’s In it?

The ruleset currently includes nearly 500 Suricata detection signatures highlighting  SMB/DCERPC-related network activities.

The ruleset provides another abstract hunting layer on top of the detected SMB/DCERPC events. A few examples of the detections include: 

  • Remote creation of a net share 
  • Remove creation of scheduled tasks
  • Remote creation of a service
  • Remote installation of a printer driver
  • DC enumeration


The ruleset is focused on highlighting and detecting Red Team or APT movements in windows SMB/DCERPC network environment.

Detection of remote configuration changes is possible due to Suricata’s recent SMB and DCERPC logging improvements which allow for easier alerting and provides more flexible detection. Remote configuration is not common in organizations and some of the operations are more often used by attackers than regular administrators. 

In the SMB event below produced by Suricata (event_type:smb) we can see an example of a successful printer driver installation. 

Since this is an SMB protocol log, we can also write a rule that will alert on any such occurrence. 

Reference: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/848b8334-134a-4d02-aea4-03b673d6c515 

From this reference, we can construct the following signature which is designed to detect the installation of a printer driver:


alert smb any any -> $HOME_NET any ( msg: "SN MS-RPRN service - RpcAddPrinterDriverEx"; flow: to_server, established; dcerpc.iface:12345678-1234-ABCD-EF00-0123456789AB; dcerpc.opnum:89; flowbits:set,stamus.rprn.service.RpcAddPrinterDriverEx; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/848b8334-134a-4d02-aea4-03b673d6c515; metadata:lateral_key dcerpc.iface, lateral_function , lateral_asset src_ip, stamus_classification stamus_critical_lateral, provider Stamus, created_at 2022_04_03, updated_at 2022_04_03; target:dest_ip; sid:3115579; rev:1;)

 

The example signature below will trigger on the remote opening of “OpenClassesRoot” (HKEY_CLASSES_ROOT) https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key in the registry. 

The operation basically highlights the remote opening of a subsection of the windows machine registry settings that contains configurational default settings that apply to all users or the interactive user on the local machine. That by itself can highlight lateral movement if, for example, it comes from an unexpected location of the network.

alert smb any any -> $HOME_NET any ( msg: "SN MS-RRP service - OpenClassesRoot"; flow: to_server, established; dcerpc.iface:338CD001-2244-31F1-AAAA-900038001003; dcerpc.opnum:0; flowbits:set,stamus.rrp.service.OpenClassesRoot; reference:url,https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/053e8515-dbae-47ea-a7c6-6dc054e3a48f; metadata:lateral_key dcerpc.iface, lateral_function OpenClassesRoot, lateral_asset src_ip, stamus_classification stamus_lateral, provider Stamus, created_at 2022_03_23, updated_at 2022_03_27; target:dest_ip; sid: 3115137; rev:1;)


The example signature below will trigger on the remote addition of  “NetrJobAdd” (adds a single AT task to the server's task store.

In other words, we can highlight remotely adding a scheduled task to a windows machine. It can be especially interesting if done from an unexpected location or user account. That can also often be seen used by malware actors for persistence.

alert smb any any -> $HOME_NET any ( msg: "SN MS-TSCH service - ATSvc NetrJobAdd"; flow: to_server, established; dcerpc.iface:1FF70682-0A51-30E8-076D-740BE8CEE98B; dcerpc.opnum:0; flowbits:set,stamus.tsch.service.ATSvcNetrJobAdd; reference:url,https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/4d44c426-fad2-4cc7-9677-bfcd235dca33; metadata:lateral_key dcerpc.iface, lateral_function NetrJobAdd, lateral_asset src_ip, stamus_classification stamus_critical_lateral, provider Stamus, created_at 2022_03_23, updated_at 2022_03_27; target:dest_ip; sid:3115113; rev:1;)

Where to get the Ruleset

You may access the ruleset on the Stamus Labs threat intelligence server here:

https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz 

https://ti.stamus-networks.io/open/stamus-lateral-rules-checksum.txt 

LICENSE: 

The "Lateral Movement Detection Ruleset for Suricata" from Stamus Labs is free threat intelligence: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3.0-or-later of the License. Read the terms here >>

sha256: 02117e28def7125933848107499b14f672023d18513de4b21ad5422c6815f98a

Feedback is welcome in our public and free discord channel:

https://discord.com/channels/911231224448712714/911238451842666546

Suricata provides other related logs
 

When a signature from this lateral movement ruleset triggers an alert, it can be useful to review all the SMB, and/or respective DCERPC, and flow logs. As we have written in many articles on this blog, Suricata produces not only IDS alerts but also produces protocol transaction logs, flow records, full packet capture and extracted files.

Suricata produces all relevant network security monitoring logs: protocol, flow, file transaction, and anomaly logs, including the ones related to an alert - but also independent of alerts. In the regular JSON logs that Suricata generates (eve.json), you will find something called “flow_id” that correlates the network protocol data and evidence that Suricata has logged - to an alert event and that alert’s metadata. 

To read more about this, check out the related article, "Suricata Myth Busting: Alerts and NSM" here: https://www.stamus-networks.com/blog/suricata-myths-alerts-and-nsm

Happy hunting and make  ’em sweat!



Peter Manev

Peter Manev is the co-founder and chief strategy officer (CSO) at Stamus Networks. He is a member of the executive team at Open Network Security Foundation (OISF). Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer, and explorer of innovative open-source security software, and he is responsible for training as well as quality assurance and testing on the development team of Suricata – the open-source threat detection engine. Peter is a regular speaker and educator on open-source security, threat hunting, and network security at conferences and live-fire cyber exercises, such as Crossed Swords, DeepSec, Troopers, DefCon, RSA, Suricon, SharkFest, and others. Peter resides in Gothenburg, Sweden.

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO