The technology addon "TA-latmov" was designed based off SANS' 2018 Hunt Evil Poster.
This poster focuses on lateral movement from forensic evidence found on the source/destination endpoint after the action has occurred. Based on this, I created a series of Windows-based inputs to capture the state for threat hunting and preservation.
Deploy the entire TA to the Windows universal forwarder, which already has the Splunk_TA_Windows on the local instance.
Enable the inputs and configure the intervals based on what makes sense for your environment. If not tuned correctly, there will be a ton of noise.
Deploy the entire TA to the searchheads and indexer tier (heavy forwarder, indexers) for index-time / search time operations.
All credit of compiling the list of indicators goes to SANS: Rob Lee, and Mike Pilkington. I just splunkified it.
I am looking for additional volunteers to take this to the next level.
Use this at your own risk, it's a proof-of-concept.
Lastly, this was created on my own and is not supported or endorsed by my employer.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.