Network Telemetry and Lateral Movement

Purpose and Scope

Network telemetry provides visibility into traffic patterns, protocol usage, and communication between systems. This playbook covers using network data to detect lateral movement, C2 communications, and other threats visible on the network.

Prerequisites

• Network data sources: NetFlow/IPFIX, Zeek logs, firewall logs, IDS/IPS alerts
• SIEM integration: Network telemetry flowing into your analysis platform
• Network baseline: Understanding of normal traffic patterns and authorized services
• Asset inventory: Knowledge of which systems should communicate with which services

Detection Goals

Network monitoring helps detect:

• Lateral movement between internal systems
• Command and control (C2) beaconing patterns
• Data exfiltration over the network
• Unauthorized service usage and protocol abuse
• Internal reconnaissance and scanning

Key Data Sources

NetFlow/IPFIX

Flow data provides connection level metadata:

• Source and destination IP addresses and ports
• Bytes and packets transferred
• Connection duration and timing
• Protocol and TCP flags

Zeek (formerly Bro) Logs

Zeek provides protocol level visibility:

• conn.log: Connection summaries with bytes, duration, state
• dns.log: DNS queries and responses
• http.log: HTTP requests with URIs, user agents, referrers
• ssl.log: TLS connection details and certificates
• files.log: Files transferred over monitored protocols
• smb_mapping.log: SMB share access
• kerberos.log: Kerberos authentication

IDS/IPS Alerts

Signature based detection from Suricata, Snort, or similar:

• Known malware and exploit signatures
• Protocol anomalies and policy violations
• Emerging threat rules from community feeds

Detecting Lateral Movement

SMB Lateral Movement

SMB is commonly used for lateral movement. Monitor for:

• Workstation to workstation SMB connections (rare in most environments)
• SMB to administrative shares (C$, ADMIN$, IPC$)
• New SMB connections from recently compromised hosts
• SMB from nonstandard source ports

In Zeek, use smb_mapping.log to see accessed shares and files.

WMI and WinRM

Remote management protocols used for lateral movement:

• WMI over DCOM (TCP 135, dynamic high ports)
• WinRM (TCP 5985/5986)
• Monitor for connections from systems that are not administrative

RDP Lateral Movement

Remote Desktop connections between internal systems:

• RDP (TCP 3389) between workstations
• RDP from unusual source hosts
• RDP at unusual times

Pass the Hash and Kerberos Attacks

Use Zeek kerberos.log or Windows event logs to detect:

• Kerberos ticket requests from unusual hosts
• TGS requests for sensitive services
• Encryption downgrade attacks

Detecting C2 Communications

Beaconing Detection

C2 channels often exhibit regular callback patterns:

• Connections at consistent intervals (with slight jitter)
• Small, consistent payload sizes
• Long connection durations with periodic activity

Use statistical analysis to identify regular timing patterns in outbound connections.

DNS Based C2

Monitor DNS for C2 indicators:

• High volume of DNS queries to a single domain
• Long or random looking subdomain queries (DNS tunneling)
• TXT record queries with encoded data
• Queries to newly registered domains

HTTP/HTTPS C2

In Zeek http.log, look for:

• Periodic requests to the same URI
• Unusual user agent strings
• POST requests with encoded or encrypted bodies
• Connections to IP addresses instead of domain names

Detecting Data Exfiltration

• Large outbound data transfers to unusual destinations
• Connections to cloud storage or file sharing services
• DNS tunneling with large response sizes
• Encrypted connections to nonstandard ports
• Data transfer outside business hours

Investigation Workflow

1. Identify suspicious connection or alert
2. Pivot to related connections from the same host
3. Correlate with endpoint telemetry (process, user)
4. Check destination reputation and threat intelligence
5. Review historical patterns for the source and destination
6. Determine scope: how many hosts are affected?

Response Actions

• Block at firewall: Deny traffic to confirmed malicious destinations
• Isolate affected hosts: Quarantine systems showing lateral movement
• Update IDS signatures: Add rules for observed malicious patterns
• Sinkhole domains: Redirect malicious DNS to internal servers
• Coordinate with IR: Escalate confirmed compromises

References

• Zeek Documentation: docs.zeek.org
• Suricata Documentation: suricata.io/documentation
• MITRE ATT&CK Lateral Movement: attack.mitre.org/tactics/TA0008
• CISA Network Monitoring: cisa.gov/network-security