Detecting Lateral Movement with Splunk
When to Use
- When hunting for adversary movement between compromised systems
- After detecting credential theft to trace subsequent lateral activity
- When investigating unusual authentication patterns across the network
- During incident response to scope the breadth of compromise
- When proactively hunting for TA0008 (Lateral Movement) techniques
Prerequisites
- Splunk Enterprise or Splunk Cloud with Windows event data ingested
- Windows Security Event Logs forwarded (4624, 4625, 4648, 4672, 4768, 4769)
- Sysmon deployed for process creation and network connection data
- Network flow data or firewall logs for SMB/RDP/WinRM correlation
- Active Directory user and group membership reference data
Workflow
- Define Lateral Movement Scope: Identify which lateral movement techniques to hunt (RDP, SMB/Admin Shares, WinRM, PsExec, WMI, DCOM, SSH).
- Query Authentication Events: Use SPL to search for Type 3 (Network) and Type 10 (RemoteInteractive) logons across the environment.
- Build Authentication Graphs: Map source-to-destination authentication relationships to identify unusual connection patterns.
- Detect First-Time Relationships: Identify new source-destination pairs that have not been seen in the historical baseline.
- Correlate with Process Activity: Link authentication events to subsequent process creation on destination hosts.
- Identify Anomalous Patterns: Flag lateral movement to sensitive servers, unusual hours, service account misuse, or rapid multi-host access.
- Report and Contain: Document lateral movement path, affected systems, and coordinate containment response.
Key Concepts
| Concept | Description |
|---|---|
| T1021 | Remote Services (parent technique) |
| T1021.001 | Remote Desktop Protocol (RDP) |
| T1021.002 | SMB/Windows Admin Shares |
| T1021.003 | Distributed COM (DCOM) |
| T1021.004 | SSH |
| T1021.006 | Windows Remote Management (WinRM) |
| T1570 | Lateral Tool Transfer |
| T1047 | Windows Management Instrumentation |
| T1569.002 | Service Execution (PsExec) |
| Logon Type 3 | Network logon (SMB, WinRM, mapped drives) |
| Logon Type 10 | Remote Interactive (RDP) |
| Event ID 4624 | Successful logon |
| Event ID 4648 | Explicit credential logon (runas, PsExec) |
Tools & Systems
| Tool | Purpose |
|---|---|
| Splunk Enterprise | SIEM for log aggregation and SPL queries |
| Splunk Enterprise Security | Threat detection and notable events |
| Windows Event Forwarding | Centralize Windows logs |
| Sysmon | Detailed process and network telemetry |
| BloodHound | AD attack path analysis |
| PingCastle | AD security assessment |
Common Scenarios
- PsExec Lateral Movement: Adversary uses PsExec to execute commands on remote systems via SMB, generating Type 3 logon with ADMIN$ share access.
- RDP Pivoting: Attacker RDPs to internal systems using stolen credentials, creating Type 10 logon events.
- WMI Remote Execution: Adversary uses WMIC process call create to spawn processes on remote hosts.
- WinRM PowerShell Remoting: Attacker uses Enter-PSSession or Invoke-Command to execute code on remote systems.
- Pass-the-Hash via SMB: Compromised NTLM hashes used to authenticate to remote systems without knowing the plaintext password.
Output Format
Hunt ID: TH-LATMOV-[DATE]-[SEQ]
Movement Type: [RDP/SMB/WinRM/WMI/DCOM/PsExec]
Source Host: [Hostname/IP]
Destination Host: [Hostname/IP]
Account Used: [Username]
Logon Type: [3/10/other]
First Seen: [Timestamp]
Event Count: [Number of events]
Risk Level: [Critical/High/Medium/Low]
Lateral Movement Path: [A -> B -> C -> D]Verification Criteria
Confirm successful execution by validating:
- [ ] All prerequisite tools and access requirements are satisfied
- [ ] Each workflow step completed without errors
- [ ] Output matches expected format and contains expected data
- [ ] No security warnings or misconfigurations detected
- [ ] Results are documented and evidence is preserved for audit
Compliance Framework Mapping
This skill supports compliance evidence collection across multiple frameworks:
- SOC 2: CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
- ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
- NIST 800-53: SI-4 (System Monitoring), IR-4 (Incident Handling), RA-5 (Vulnerability Scanning)
- NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring), DE.DP (Detection Processes)
Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.
Deploying This Skill with Claw GRC
Agent Execution
Register this skill with your Claw GRC agent for automated execution:
# Install via CLI
npx claw-grc skills add detecting-lateral-movement-with-splunk
# Or load dynamically via MCP
grc.load_skill("detecting-lateral-movement-with-splunk")Audit Trail Integration
When executed through Claw GRC, every step of this skill generates tamper-evident audit records:
- SHA-256 chain hashing ensures no step can be modified after execution
- Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
- Trust score impact — successful execution increases your agent's trust score
Continuous Compliance
Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.