NEW! Open Ruleset for Detecting Lateral Movement with Suricata

Today, we’re announcing a new open-source contribution from Stamus Networks - a Suricata ruleset specifically focused on detecting lateral movement in Microsoft Windows environments. Lateral movement is a technique that cyber attackers use to expand their network presence in search of sensitive data and high-value assets.

During the course of the year, the Stamus Networks team participates in a number of trainings, workshops, and some of the biggest NATO live-fire cyber exercises. And of course, we regularly work with our customers to identify threats, compromises and unauthorized activity on their networks.

We incorporate a lot of knowledge from the field directly into our products.

We want to share this knowledge with blue teams around the globe to help out in any way we can. As such we contribute many useful open-source tools, analytics dashboards and visualizations on our GitHub repository https://github.com/StamusNetworks .

We are proud to now offer an open and free lateral detection ruleset for the Suricata community  (specifically, those using version 6.0.6 and later).


What is the Ruleset and What’s In it?

The ruleset currently includes nearly 500 Suricata detection signatures highlighting  SMB/DCERPC-related network activities.

The ruleset provides another abstract hunting layer on top of the detected SMB/DCERPC events. A few examples of the detections include: 

  • Remote creation of a net share 
  • Remove creation of scheduled tasks
  • Remote creation of a service
  • Remote installation of a printer driver
  • DC enumeration


The ruleset is focused on highlighting and detecting Red Team or APT movements in windows SMB/DCERPC network environment.

Detection of remote configuration changes is possible due to Suricata’s recent SMB and DCERPC logging improvements which allow for easier alerting and provides more flexible detection. Remote configuration is not common in organizations and some of the operations are more often used by attackers than regular administrators. 

In the SMB event below produced by Suricata (event_type:smb) we can see an example of a successful printer driver installation. 

Since this is an SMB protocol log, we can also write a rule that will alert on any such occurrence. 

Reference: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/848b8334-134a-4d02-aea4-03b673d6c515 

From this reference, we can construct the following signature which is designed to detect the installation of a printer driver:


alert smb any any -> $HOME_NET any ( msg: "SN MS-RPRN service - RpcAddPrinterDriverEx"; flow: to_server, established; dcerpc.iface:12345678-1234-ABCD-EF00-0123456789AB; dcerpc.opnum:89; flowbits:set,stamus.rprn.service.RpcAddPrinterDriverEx; reference:url,https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/848b8334-134a-4d02-aea4-03b673d6c515; metadata:lateral_key dcerpc.iface, lateral_function , lateral_asset src_ip, stamus_classification stamus_critical_lateral, provider Stamus, created_at 2022_04_03, updated_at 2022_04_03; target:dest_ip; sid:3115579; rev:1;)

 

The example signature below will trigger on the remote opening of “OpenClassesRoot” (HKEY_CLASSES_ROOT) https://learn.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key in the registry. 

The operation basically highlights the remote opening of a subsection of the windows machine registry settings that contains configurational default settings that apply to all users or the interactive user on the local machine. That by itself can highlight lateral movement if, for example, it comes from an unexpected location of the network.

alert smb any any -> $HOME_NET any ( msg: "SN MS-RRP service - OpenClassesRoot"; flow: to_server, established; dcerpc.iface:338CD001-2244-31F1-AAAA-900038001003; dcerpc.opnum:0; flowbits:set,stamus.rrp.service.OpenClassesRoot; reference:url,https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/053e8515-dbae-47ea-a7c6-6dc054e3a48f; metadata:lateral_key dcerpc.iface, lateral_function OpenClassesRoot, lateral_asset src_ip, stamus_classification stamus_lateral, provider Stamus, created_at 2022_03_23, updated_at 2022_03_27; target:dest_ip; sid: 3115137; rev:1;)


The example signature below will trigger on the remote addition of  “NetrJobAdd” (adds a single AT task to the server's task store.

In other words, we can highlight remotely adding a scheduled task to a windows machine. It can be especially interesting if done from an unexpected location or user account. That can also often be seen used by malware actors for persistence.

alert smb any any -> $HOME_NET any ( msg: "SN MS-TSCH service - ATSvc NetrJobAdd"; flow: to_server, established; dcerpc.iface:1FF70682-0A51-30E8-076D-740BE8CEE98B; dcerpc.opnum:0; flowbits:set,stamus.tsch.service.ATSvcNetrJobAdd; reference:url,https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/4d44c426-fad2-4cc7-9677-bfcd235dca33; metadata:lateral_key dcerpc.iface, lateral_function NetrJobAdd, lateral_asset src_ip, stamus_classification stamus_critical_lateral, provider Stamus, created_at 2022_03_23, updated_at 2022_03_27; target:dest_ip; sid:3115113; rev:1;)

Where to get the Ruleset

You may access the ruleset on the Stamus Labs threat intelligence server here:

https://ti.stamus-networks.io/open/stamus-lateral-rules.tar.gz 

https://ti.stamus-networks.io/open/stamus-lateral-rules-checksum.txt 

LICENSE: 

The "Lateral Movement Detection Ruleset for Suricata" from Stamus Labs is free threat intelligence: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3.0-or-later of the License. Read the terms here >>

sha256: 02117e28def7125933848107499b14f672023d18513de4b21ad5422c6815f98a

Feedback is welcome in our public and free discord channel:

https://discord.com/channels/911231224448712714/911238451842666546

Happy hunting and make  ’em sweat!



Schedule a Demo of Stamus Security Platform

REQUEST A DEMO

Related posts

Reflections on Suricon 2022

Last week our team was in Athens for the biggest Suricata conference this year - Suricon 2022. The...

Why We Wrote the Book on Suricata

As we celebrate the first week after launching our new book “The Security Analyst’s Guide to...

Impact of OpenSSL CVE-2022-3602 and CVE-2022-3786 on SSP and SELKS Users

TL;DR

Stamus Networks uses OpenSSL in the Stamus Security Platform (SSP) as well as our open source