What is the Lateral Movement Ruleset and what is included?
The ruleset currently includes nearly 500 Suricata detection signatures highlighting SMB/DCERPC-related network activities.
The ruleset provides another abstract hunting layer on top of the detected SMB/DCERPC events. A few examples of the detections include:
- Remote creation of a net share
- Remove creation of scheduled tasks
- Remote creation of a service
- Remote installation of a printer driver
- DC enumeration
The ruleset is focused on highlighting and detecting Red Team or APT movements in windows SMB/DCERPC network environment.
Detection of remote configuration changes is possible due to Suricata’s recent SMB and DCERPC logging improvements which allow for easier alerting and provides more flexible detection. Remote configuration is not common in organizations and some of the operations are more often used by attackers than regular administrators.