timesketch icon indicating copy to clipboard operation
timesketch copied to clipboard

Published 20 hours ago verified publisher icon google

Create Windows lateral movement analyzer

Open roshanmaskey opened this issue 3 years ago • 1 comments

The Windows operating system generates several Windows event logs related to remote authentication and RDP. RDP activities also result in Windows registry entries, files, process creation.

Create an analyzer that tags the events related to lateral movement and provide a table of lateral movement artifacts in a chronological order.

roshanmaskey avatar Sep 30 '21 00:09 roshanmaskey

Sounds good! Some prior work on this:

The basic login analyzer https://github.com/google/timesketch/blob/master/timesketch/lib/analyzers/login.py

A graph for win logins https://github.com/google/timesketch/blob/master/timesketch/lib/graphs/win_logins.py Screen Shot 2021-10-13 at 22 57 38

berggren avatar Oct 13 '21 20:10 berggren