Lateral movement refers to the behaviors of cyber attackers after gaining initial access to the assets and moves around the compromised network for sensitive data. The attacker will use different tools and techniques allowing them to move laterally through a network to map the system, Improve insights on such events to track the attacker. Below is the list of event IDs to monitor and hunt for.
| Event ID List | Threat Actor Behavior |
| 4624 | An account was successfully logged on |
| 4634 | An account was logged off |
| 4648 | A logon was attempted using explicit credentials |
| 4656 | A handle to an object was requested |
| 4658 | The handle to an object was closed |
| 4660 | An object was deleted |
| 4663 | An attempt was made to access an object |
| 4672 | Special privileges assigned to new logon |
| 4673 | A privileged service was called |
| 4688 | A new process has been created |
| 4689 | A process has exited |
| 4698 | A scheduled task was created |
| 4720 | A user account was created |
| 4768 | A Kerberos authentication ticket (TGT) was requested |
| 4769 | A Kerberos service ticket was requested |
| 4946 | A change has been made to Windows Firewall exception list. A rule was added |
| 5140 | A network share object was accessed |
| 5142 | A network share object was added |
| 5144 | A network share object was deleted |
| 5145 | A network share object was checked to see whether client can be granted desired access |
| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections |
| 5156 | The Windows Filtering Platform has allowed a connection |
| 5447 | A Windows Filtering Platform filter has been changed |
| 8222 | Shadow copy has been created |
| 7036 | Service Control Manager started a running |
| 7045 | A new service was installed in the system. |
| 20001 | New hardware is connected to the your computer. 0 (0x00000000) Installation Successful 2 (0x00000002) File Not Found 2147942402 (0x80070002) File Not Found 2147942403 (0x80070003) Path Not Found 2147942405 (0x80070005) Access Denied 2148467251 (0x800F0233) Invalid Target 2150105198 (0x8028006E) Invalid Source Path 1459 (0x000005B3) Requires Interactive Workstation 1460 (0x000005B4) Timeout 3758096948 (0xE0000234) Driver Non-native 3758096966 (0xE0000246) Deice Installer Not Ready |
| 80 | Event logging for applications & services under Windows Remote Management |
| 132 | Event logging for applications & services under Windows Remote Management |
| 143 | Event logging for applications & services under Windows Remote Management |
| 166 | Event logging for applications & services under Windows Remote Management |
| 81 | Event logging for applications & services under Windows Remote Management |
| 106 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 129 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 200 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 201 | Application and Service Log under \Microsoft\Windows\TaskScheduler\Operational |
| 21 | Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational |
| 24 | Application and Service Log under \Microsoft\Windows\TerminalServices-LocalSessionManager\Operational |
| 60 | Application and Service Log under \Microsoft\Windows\Bits-Client |
| 104 | System log files was cleared |
Also Read: Cyber Threat Hunting – Proactive Intrusion Detection
Conclusion
As a soc analyst, Monitor such events with high priority as this is the critical indicator of attackers living inside your organization for a period of time.