<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

What is the Lateral Movement Ruleset and what is included?

The ruleset currently includes nearly 500 Suricata detection signatures highlighting  SMB/DCERPC-related network activities.

The ruleset provides another abstract hunting layer on top of the detected SMB/DCERPC events. A few examples of the detections include:

  • Remote creation of a net share
  • Remote creation of scheduled tasks
  • Remote creation of a service
  • Remote installation of a printer driver
  • DC enumeration

The ruleset is focused on highlighting and detecting Red Team or APT movements in windows SMB/DCERPC network environment.

Detection of remote configuration changes is possible due to Suricata’s recent SMB and DCERPC logging improvements which allow for easier alerting and provides more flexible detection. Remote configuration is not common in organizations and some of the operations are more often used by attackers than regular administrators.

Where to get the Ruleset

You may access the ruleset on the Stamus Labs threat intelligence server here:




The "Lateral Movement Detection Ruleset for Suricata" from Stamus Labs is free threat intelligence: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, version 3.0-or-later of the License.

Read the terms here >>

sha256: 02117e28def7125933848107499b14f672023d18513de4b21ad5422c6815f98a

Join the Community Discussion

Have questions or comments about the Lateral Movement Ruleset for Suricata project?

Join the discussion on our Discord server.

Join Stamus Labs on Discord

Additional Resources

Lateral Movement Ruleset

Open Ruleset for Detecting Lateral Movement in Windows Environments with Suricata

Read More

Threats! What Threats? Detecting Lateral Movement with Stamus Security Platform

Read More

Security Analyst's Guide to Suricata