Detecting Lateral Movement with New Events in the Windows Server 2016 Security Log

Preventing attackers from gaining control of network endpoints is difficult. Your preventative controls might stop such an event, but defense-in-depth best practices recommend a multi-layered security approach to protect your organization.

In this webcast, Seth Goldhammer, director of product management at LogRhythm, joins Randy Franklin Smith, Windows Security subject matter expert, to discuss how to detect attackers in various stages of the Cyber Attack Lifecycle. The duo examines Windows Firewall events within Windows 10 and 2016, including:

  • 4798 — A user’s local group membership that was enumerated
  • 4799 — A security-enabled local group membership that was enumerated
  • 4627 — Group membership information
  • 6416 — A new external device that was recognized by the system

These are actions normal users don’t typically engage in, and they can be strong indicators of an intruder at work.

In this webcast, Randy and Seth show how LogRhythm’s analytics can recognize progression along the Cyber Attack Lifecycle while increasing risk scoring with each progression. LogRhythm’s established entities help define different networks and hosts, providing analysts with insight and the ability to adjust risk scoring to correspond to the appropriate level of threat.

The webcast also reveals how LogRhythm can infer additional context about a user during analysis. By baselining normal system activity, analysts can establish what typical behavior looks like on their network. From there, analysts can look for anomalous events outside of baseline behavior.

To save time in future threat hunts, analysts can also build an exceptions list within each of their created alarms to exempt established users or events that have been deemed innocuous. This approach to supervised machine learning not only saves time, but allows for more intelligent security systems analytics.

LogRhythm not only collects Windows events in different ways — remotely, forwarded, etc. — but the platform also goes beyond Windows events in its ability to collect flash files, database rows, records, and more.

Watch the on-demand webcast now to learn how to take your security operations to the next level.