ARENA | Powered by Semestra

Threat Hunting

Proactively search for threats in your environment

Hunt Sessions

Lateral Movement Detection

Started: 2024-12-13 09:00 Queries: 8 • Findings: 3

Unusual PowerShell Activity

Started: 2024-12-13 07:30 Queries: 12 • Findings: 7

C2 Beaconing

Completed: 2024-12-12 Queries: 15 • Findings: 2

Credential Dumping

Completed: 2024-12-11 Queries: 10 • Findings: 5

Data Staging

Archived: 2024-12-10 Queries: 6 • Findings: 0

Hunt Hypothesis

Current Hypothesis:

Adversary is using WMI for lateral movement across domain-joined systems, potentially leveraging compromised admin credentials to execute remote commands.

Query Builder

Query Language

Time Range:

Query Results

142 results in 1.23s

Timestamp	Computer	User	Process	Command Line	Count
2024-12-13 10:45:22	WKS-CLIENT-042	admin_svc	wmiprvse.exe	`wmic process call create "powershell.exe -enc ..."`	12
2024-12-13 10:43:15	WKS-CLIENT-038	admin_svc	wmiprvse.exe	`wmic /node:192.168.1.50 process call create ...`	8
2024-12-13 10:41:03	WKS-CLIENT-015	system	wmiprvse.exe	`C:\Windows\System32\wbem\wmiprvse.exe`	6
2024-12-13 10:38:47	WKS-CLIENT-042	admin_svc	wmiprvse.exe	`invoke-wmimethod -computername ... -class Win32_Process`	15
2024-12-13 10:35:12	SRV-WEB-01	admin_svc	wmiprvse.exe	`wmic process call create "cmd.exe /c lateral_move.bat"`	9

Query Templates

Suspicious PowerShell

Encoded commands

Lateral Movement

WMI, PSExec, RDP

Credential Dumping

LSASS access

C2 Beaconing

Periodic connections

Privilege Escalation

Token manipulation

Data Exfiltration

Large outbound transfers

Persistence

Registry, services, tasks

Unusual File Access

Sensitive directories

Findings (3)

Compromised Admin Account Critical

User: admin_svc Lateral movement to 8 systems

Encoded PowerShell High

Base64 encoded commands 42 instances detected

Unusual WMI Activity High

Remote process creation 15+ executions in 1 hour

Hunt Notes & Analysis

IOCs Identified:

                                        User Account: admin_svc (compromised)

                                        IP Addresses: 192.168.1.42, 192.168.1.50, 192.168.1.105

                                        File Hashes: d41d8cd98f00b204e9800998ecf8427e

                                        Command: "powershell.exe -enc SGVsbG8gV29ybGQ="

Analysis Summary:

Identified lateral movement pattern using WMI for remote command execution. The compromised account "admin_svc" was used to execute encoded PowerShell commands on 8 different systems. Pattern suggests automated tooling, possibly Cobalt Strike or similar C2 framework.

Next Steps:

Create incident case for compromised admin_svc account
Isolate affected systems: WKS-CLIENT-042, WKS-CLIENT-038, SRV-WEB-01
Reset credentials for admin_svc and related service accounts
Deploy detection rule for WMI lateral movement pattern
Conduct memory forensics on affected endpoints