Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Detecting lateral movement by NIDS/IPS (netcat or psexec) SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Detecting lateral movement by NIDS/IPS (netcat or psexec)
Good afternoon gents,

In order to detect the lateral movement (using NIDS/IPS for detecting). Does anybody has any experiencie detecting netcat or psexec tools by NIDS/IPS.

I started with a simple poc with whireshark and two clients conected by netcat or psexec tools between them. I hope to find some patterns/payload in order to make craft signatures in my NIDS.

Any experience on it?

Thanks in advenced!
ShanHolo

8 Posts
there are some emerging threats rules that *may* work (I haven't tested them)

doc.emergingthreats.net/bin/view/Main/…
Johannes

3759 Posts
ISC Handler
If you check the bytes per packet by looking at Statistics -> Summary -> TCP. The bytes per packets should always remains the same, and packets would be the amount of count of events your router would collect. Aggregating the same amount of bytes per packet for x events in x minutes for internal network may work and serve as a robust catch all rule. Mostropi

27 Posts

Sign Up for Free or Log In to start participating in the conversation!