Author Archives: Ryan Nolette
For this example, I will limit my search to just high value targets, such as the domain admin accounts.
Authentication requests are used to identify accounts or users that are allowed to access the network and its resources. Similar to legitimate authentication, attackers may use compromised or distinct accounts to identify itself to a authentication server and may also use existing accounts in order to blend in with normal authentication traffic.
Lateral movement is a critical step that attackers use when targeting your network. In the last Hunter’s Den post we covered how attackers lay the groundwork for lateral movement. Now that we know what tactics to look for, let’s get to hunting.
In our last Hunter’s Den post, we covered some of the TTP’s that are associated with searching for lateral movement. Now that we have a rough idea of the progression of this attack lifecycle let’s dig into the stages a bit more.
The Hunter’s Den blog series aims to go beyond framework and theory and dig into practical tips and techniques for threat hunting. In our previous post, we examined the practical ways to hunt for C2 activity. In this series of posts, we will take a look at how to hunt for lateral movement activity.