Detection rules for Generic data sources. Each rule includes its MITRE ATT&CK mapping, impact rating, and a description of what it detects.
This category contains 1 detection rules.
| Rule | Category | Technique | Impact (C/I/A) |
|---|---|---|---|
| Cross-Source Lateral Movement Detection | Lateral Movement | T1021 - Remote Services | C:3 / I:2 / A:1 |
Rule Example
Below is an example of a rule definition for Cross-Source Lateral Movement Detection (view in repository):
# Rule version v1.0.0
dataTypes:
- generic
name: Cross-Source Lateral Movement Detection
impact:
confidentiality: 3
integrity: 2
availability: 1
category: Lateral Movement
technique: "T1021 - Remote Services"
adversary: origin
references:
- https://attack.mitre.org/techniques/T1021/
description: |
Detects patterns of authentication events across multiple log sources that indicate lateral movement. Monitors for remote service access patterns including RDP, SSH, SMB, and WMI connections followed by execution indicators.
Next Steps:
1. Map the authentication chain across systems
2. Identify the initial point of compromise
3. Verify each hop was from authorized activity
4. Check for credential reuse across systems
5. Investigate the final destination for post-exploitation activity
6. Implement network segmentation to limit lateral movement paths
where: |
exists("origin.ip") &&
exists("origin.user") &&
(
(exists("log.message") && (
(contains("log.message", "remote") && contains("log.message", "login")) ||
(contains("log.message", "authenticated") && contains("log.message", "from")) ||
(contains("log.message", "session") && contains("log.message", "opened") && contains("log.message", "remote")) ||
contains("log.message", "lateral movement") ||
(contains("log.message", "RDP") && contains("log.message", "connection")) ||
(contains("log.message", "SMB") && contains("log.message", "authenticated")) ||
(contains("log.message", "WMI") && contains("log.message", "connection"))
)) ||
(exists("action") && (
equals("action", "remote_login") ||
equals("action", "network_logon") ||
equals("action", "rdp_connection")
))
)
afterEvents:
- indexPattern: v11-log-generic-*
with:
- field: origin.user
operator: filter_term
value: '{{.origin.user}}'
- field: log.message
operator: filter_match
value: 'remote login OR authenticated OR session opened'
within: now-30m
count: 5
groupBy:
- adversary.ip
- adversary.user
Rule Details
Cross-Source Lateral Movement Detection
Detects patterns of authentication events across multiple log sources that indicate lateral movement. Monitors for remote service access patterns including RDP, SSH, SMB, and WMI connections followed by execution indicators.
Category: Lateral Movement
Technique: T1021 - Remote Services
Impact: C:3 / I:2 / A:1
Rule file: cross_source_lateral_movement.yml
Reference: https://attack.mitre.org/techniques/T1021/