Detecting Lateral Movement with Machine Learning.
DetectLM is a proof of concept code to analyze and detect malicious commands executed via cmd.exe with machine learning.
Each tools require the following modules:
git clone https://github.com/JPCERTCC/DetectLM.git
els_server = localhost
$ python DetectLM.py -m
*/15 * * * * python3.6 [Folder Name]/DetectLM.py
> reg add "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /v AutoRun /d [Downloaded Folder Name]\cmdlogs.bat
or
> reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor" /v AutoRun /d [Downloaded Folder Name]\cmdlogs.bat
> powershell -exec bypass .\Invoke-DetectLM.ps1 -ehost [Elasticsearch Server]
Executed command logs can be checked from Kibana.
AlertLevel 2 is the malicious commands.
The log has three levels of detection level
Ignore flag is automatically added to any command executed by the user.
When malicious Windows command execution is detected by machine learning, a notification will be sent to the client.
A user also can set a ignore flag to specific command execution when asked by client tool.
Using Kibana dashboard, logs are visualized.
Example of dashboard is in kibana_objects. Import is [Management -> Saved Objects -> Import]