Hands-On Session: Detecting Lateral Movement in Microsoft Environments (Part 2)

Suricata is the world-renowned IDS / IPS and NSM engine. It is capable of generating a combined log stream from separate information elements, including network protocol events, alerts, PCAP files (full packet capture), and extracted files as it sniffs live network traffic or sits inline.

Suricata produces over 25 different types of log data, including protocol and decoding anomalies, alerts, and many other network transaction protocol events. Each of the events produced by Suricata has its own type. Two of those log types are SMB and DCERPC. These are produced by Suricata based on its native auto protocol parsing and logging capability.

As fundamental elements of the Microsoft Windows and Active Directory infrastructure, various versions of the SMB/DCERPC protocols are natively used by enterprises of all sizes.

Unfortunately these are often used by threat actors for lateral movement once a breach beachhead has been established in the organization.This is where the Suricata event type SMB and DCERPC logs become very helpful in hunting scenarios.

In this 3-part webinar series, we aim to take a thorough hands-on approach to show you how to use Suricata’s SMB and DCERPC logs for lateral detection.

The series covers hunting approaches with pure network transaction data and explains where, how, and when it makes sense to write a signature for a specific use case.

Part 2 will concentrate on creating and reviewing some useful visualizations for lateral detection hunting based on the SMB and DCERPC protocol data that Suricata produces. This will be a hands-on review of specific cases.

Register now on Eventbrite

Our recording of Part 1 can be viewed at: 🔴 Detect Lateral Movement in Microsoft Environment with Suricata (Part 1) - YouTube

2 Likes