Is this compatible with Splunk Cloud?

Yes, the logic and SPL queries provided are compatible with both Splunk Enterprise and Splunk Cloud environments.

Does it detect PsExec usage?

Yes, it monitors for Type 3 network logons combined with ADMIN$ share access and associated service execution events typically generated by PsExec.

What logs are required for this skill to work effectively?

You need Windows Security Event Logs (specifically 4624, 4625, 4648, 4672, 4768, 4769), Sysmon for process telemetry, and ideally network flow data for SMB/RDP correlation.

How does it distinguish between normal activity and malicious movement?

It identifies first-time source-destination relationships, flags unusual logon types (such as Type 10 for RDP), and correlates authentication events with suspicious remote process execution.

Can this skill help with MITRE ATT&CK compliance?

Yes, it specifically focuses on the Lateral Movement tactic (TA0008) and maps directly to sub-techniques like Remote Services (T1021) and Lateral Tool Transfer (T1570).

Splunk Lateral Movement Detection

Name: Splunk Lateral Movement Detection
Author: micsapp

bymicsapp

0•

安全与测试

Identifies and tracks adversary movement across network environments using specialized Splunk SPL queries and Windows event analysis.

This skill empowers cybersecurity analysts to proactively hunt for lateral movement techniques by leveraging Splunk's powerful search capabilities. It provides structured guidance for querying Windows authentication logs, Sysmon data, and network traffic to identify patterns associated with RDP pivoting, SMB abuse, PsExec execution, and WMI remoting. By correlating authentication events with subsequent process activity, it helps security teams map attack paths, scope compromises, and respond effectively to internal network threats using established MITRE ATT&CK frameworks.

主要功能

01Detection logic for anomalous RDP, SMB, WinRM, and WMI activity

02Standardized output format for documenting lateral movement paths

03Mapping of MITRE ATT&CK techniques (TA0008) to actionable hunting workflows

040 GitHub stars

05Correlation between authentication logs and subsequent process telemetry

06Pre-configured SPL queries for Windows Event IDs 4624, 4648, and 4672

使用场景

01Incident response scoping following an initial credential compromise

02Proactive threat hunting for internal adversary movement (TA0008)

03Identifying unusual cross-network authentication patterns and RDP pivoting

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-lateral-movement-with-splunk

For use in Claude.ai and ChatGPT

主要功能

01Detection logic for anomalous RDP, SMB, WinRM, and WMI activity

02Standardized output format for documenting lateral movement paths

03Mapping of MITRE ATT&CK techniques (TA0008) to actionable hunting workflows

040 GitHub stars

05Correlation between authentication logs and subsequent process telemetry

06Pre-configured SPL queries for Windows Event IDs 4624, 4648, and 4672

使用场景

01Incident response scoping following an initial credential compromise

02Proactive threat hunting for internal adversary movement (TA0008)

03Identifying unusual cross-network authentication patterns and RDP pivoting

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add micsapp/micstec-skills detecting-lateral-movement-with-splunk

For use in Claude.ai and ChatGPT