IEEE Access (Jan 2025)

Threat Hunting the Shadows: Detecting Adversary Lateral Movement With Elasticsearch

  • Naif Alsharabi,
  • Akashdeep Bhardwaj,
  • Talal Sarheed Alshammari,
  • Shoayee Alotaibi,
  • Dhahi Alshammari,
  • Amr Jadi

DOI
https://doi.org/10.1109/ACCESS.2025.3556184
Journal volume & issue
Vol. 13
pp. 62341 – 62352

Abstract

Read online

This research investigates the elusive tactic of lateral movement employed by adversaries within a compromised network. The focus is on identifying the mechanisms and techniques used for lateral movement, with a particular emphasis on credential access. The study leverages a custom-designed Security Information and Event Management (SIEM) system built upon Elasticsearch, coupled with powerful KQL (Kibana Query Language) and Lucene search queries. Employing a realistic dataset, the research simulates an adversary’s TTPs (Tactics, Techniques, and Procedures) to dive deep into the critical area of credential access. This unique approach allows for the identification of indicators of compromise (IoCs) and the construction of targeted search queries to uncover signs and traces of lateral movement within the simulated environment. The findings contribute valuable insights into detection methodologies and highlight the effectiveness of an SIEM system in conjunction with advanced search functionalities for proactively countering lateral movement attempts.

Keywords