Detecting Lateral Movement with Machine Learning.
DetectLM is a proof of concept code to analyze and detect malicious commands executed via cmd.exe with machine learning.

• DetectLM.py: Runs on server. Detect malicious Windows command execution using machine learning and blacklist.
• Invoke-DetectLM.ps1: Runs on client. Sends the logs to the Elasticsearch. Confirm analysis result and display alert message.
• cmdlogs.bat: Collect commands executed via cmd.exe.

Each tools require the following modules:

• Python3
• NumPy http://www.numpy.org/
• Pandas http://pandas.pydata.org/

• PowerShell v3 or later

• Windows 8.1
• Windows 10

1. Download and install Elasticsearch.
2. Download and install Kibana.
3. Start Elasticsearch and Kibana.
4. Download and save the DetectLM from Github.

git clone https://github.com/JPCERTCC/DetectLM.git

5. And your Elasticsearch IP Address to DetectLM/server/config/config.ini.

els_server      = localhost

6. And mapping in Elasticsearch.

$ python DetectLM.py -m

7. Create cron jobs for DetectLM.py.
   For example

*/15 * * * * python3.6 [Folder Name]/DetectLM.py

1. Download client/cmdlogs.bat and client/Invoke-DetectLM.ps1.
2. Register cmdlogs.bat in the registry entry that starts automatically when the cmd.exe is executed.

> reg add "HKEY_CURRENT_USER\Software\Microsoft\Command Processor" /v AutoRun /d [Downloaded Folder Name]\cmdlogs.bat

or

> reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor" /v AutoRun /d [Downloaded Folder Name]\cmdlogs.bat

3. Create a scheduled task for Invoke-DetectLM.ps1.

> powershell -exec bypass .\Invoke-DetectLM.ps1 -ehost [Elasticsearch Server]

Executed command logs can be checked from Kibana.
AlertLevel 2 is the malicious commands.

The log has three levels of detection level

• 2 : Error log reported by user
• 1 : Logs detected as malicious by machine learning
• 0 : No Alert (Default)

Ignore flag is automatically added to any command executed by the user.
When malicious Windows command execution is detected by machine learning, a notification will be sent to the client.
A user also can set a ignore flag to specific command execution when asked by client tool.

Using Kibana dashboard, logs are visualized.
Example of dashboard is in kibana_objects. Import is [Management -> Saved Objects -> Import]

• This tool supports Windows commands executed via cmd.exe. Any command via PowerShell are not logged nor monitored.
• Client tool has an issue when handling command line includes "/c" or "/k".