Skip to main content

Finding Lateral Movement of Adversaries Through the Noise of Systems Administration

This paper aims to delve into the intricacies of distinguishing between routine administrative actions and potential security threats, focusing on standard lateral movement techniques.

Download file

SANS_Finding_Adversaries_Through_the_Noise_of_Systems_Administration (PDF, 1.90MB)

14 Aug 2024
ByBrian Almond
Share
All papers are copyrighted

No re-posting of papers is permitted

Related Content

USB: Universal Security Breach or Uniquely Secured Bus? Assessing the Effectiveness of Windows 11 Group Policy at Controlling USB Device Installation for Budget-Constrained Security Teams

Research Paper

This study evaluates three progressively granular Windows 11 Group Policy (GPO) configurations—class-based blocking, VID/PID allowlisting, and Device Instance ID allowlisting—against legitimate business peripherals and a Hak5 USB Rubber Ducky configured as a composite BadUSB device, using the Windows 11 v25H2 Security Baseline as the unmodified reference state.

  • 22 Jun 2026
  • Kire Jacobson

Investigating Operating System Variations in IPv6 Implementations

Research Paper

This research tested the four most common operating system families, Windows, Linux, macOS, and BSD, for RFC compliance and behavioral differences across a controlled set of IPv6 test cases. Because RFC specifications leave many implementation details to the developer, behavior was expected to diverge, and the testing confirmed that it did.

  • 22 Jun 2026
  • Donovan Rodriguez

macOS Infostealer Exfiltration Techniques via Native Tooling: Behavioral Analysis and Defenses

Research Paper

This paper analyzes macOS infostealers and their reliance on native system utilities. The use of specific command-line options and arguments should be predictable and detectable with proper analysis.

  • 22 Jun 2026
  • Cory Findley

Detection Strategies for AskCreds Beacon Object File Credential Harvesting Across Multiple C2 Frameworks

Research Paper

This study evaluates layered detection strategies against AskCreds BOF execution in an isolated Azure lab using Cobalt Strike 4.12 and Outflank C2 v2.11.1, with Velociraptor as the primary DFIR platform.

  • 22 Jun 2026
  • Eric Fletcher

Capturing the Click: Process-Based Detection of Malicious Link Interactions

Research Paper

This research validates the browser command-line flags used by Chrome, Edge, and Firefox as parameters in process-creation events, capturing both the clicked URL and the parent application, document, or script that delivered it.

  • 22 Jun 2026
  • Daniel Gott

Know Your Blind Spots: Better Visibility Through EDR Policy Hardening

Research Paper

Endpoint Detection and Response (EDR) tools identify, detect, and respond to anomalous behavior.

  • 9 Jun 2026
  • Joshuah Williams

Risk-Adaptive Data Loss Prevention: Behavioral Intelligence with DLP

Research Paper

Risk-Adaptive Data Loss Prevention: Behavioral Intelligence with DLP

  • 4 Jun 2026
  • Matt Bromiley

Bridging the Gap Between Threat Intelligence and Business Risk

Research Paper

The importance of the threat intelligence function has grown significantly over the years to become a cornerstone of any cybersecurity group.

  • 29 May 2026
  • Kevin Garvey

2026 SANS Cyber Threat Intelligence (CTI) Survey Insights

Research Paper

Every year, the SANS CTI Survey gets sharper. This year, it takes a step the field has needed for a while. For the first time, the 2026 survey includes a dedicated module for security executives, capturing responses from 67 CISOs and CSOs.

  • 15 May 2026
  • Rebekah Brown, Andreas Sfakianakis

Applying CIS Controls to AI Workflows

Research Paper

This research provides guidance on using the CIS Controls in conjunction with AI-specific frameworks to build a robust information security program.

  • 12 May 2026
  • Brian Ventura

A Forensic Study of Artifact Persistence in Containerd-Based Kubernetes Workloads

Research Paper

A container is a standard unit of software that packages code, including its dependencies, so the application runs quickly and reliably across computing environments.

  • 12 May 2026
  • Ahmed Alharbi

Untested: An Overlooked Link in the Software Supply Chain

Research Paper

This research explores test code as an attack surface and takes a first step toward creating a tool to help analysts detect and mitigate malware lurking in test libraries.

  • 16 Apr 2026
  • Evan Ottinger

Cyber Risk Intelligence and Security Posture (CRISP): From Compliance to Threat-Informed Intelligence

Research Paper

This paper presents CRISP (Cyber Risk Intelligence & Security Posture), a platform that automates the transformation of STIG compliance data into threat-informed security intelligence.

  • 7 Apr 2026
  • Eric Kaden

Implementing Micro-Segmentation in a Legacy Enterprise Lab Network: A Zero Trust Approach to Reducing Lateral Movement, Improving Containment, and Controlling Operational Overhead

Research Paper

This study evaluates micro-segmentation as a practical Zero Trust control in a Windows Active Directory lab that models common legacy dependencies (directory services, file services, a web tier, and a database tier).

  • 24 Mar 2026
  • Dennis Ankrah

Assessing the Impact of Memory Acquisition on Key Windows Artifacts

Research Paper

This research evaluates the impact of memory capture tools on data at rest, aiming to understand the degree of change that occurs to artifacts, measure differences based on tool selection, and inform best practices for live responders.

  • 20 Mar 2026
  • Russell Devine

Enhancing Linux Threat Detection: A Sysmon - Based Approach to Identifying Sandworm TTPs

Research Paper

Linux systems have become foundational across modern IT enterprises. Threat actors are increasingly targeting Linux systems, including well - known advanced persistent threats (APTs) such as Sandworm.

  • 20 Mar 2026
  • Joshua Keller

Open-Source National Security Infrastructure for Sweden’s National Security Apparatus

Research Paper

This paper investigates whether core IT infrastructure implemented using open-source software and infrastructure-as-code techniques can achieve compliance with selected information security requirements defined in Chapter 4 of PMFS 2022:1.

  • 18 Mar 2026
  • Fredrik Bolinder

Configuring Windows 11 Workgroup Computers to CIS Windows 11 L1 and BitLocker Baseline Recommendations Using PowerShell DSC

Research Paper

Endpoints are often the first points of cyberattacks. Enterprises would often try to harden them according to established security baselines, such as those published by the Center for Internet Security (CIS).

  • 24 Feb 2026
  • Tan Gui De

From Ambiguity to Action: A Forensic Framework for Differentiating ClickFix Payloads

Research Paper

The "ClickFix" social engineering technique, which leverages fake CAPTCHA or browser update lures to trick users into executing a malicious PowerShell script, presents a critical challenge for incident responders.

  • 24 Feb 2026
  • James Chisolm-Williams

Digital Forensics and Incident Response in the Cloud: Addressing GCP Challenges

Research Paper

Many digital forensics and incident response (DFIR) practitioners, as well as aspiring cybersecurity analysts, often gravitate towards AWS and Azure as their first forays into cloud security.

  • 16 Jan 2026
  • Mark Nakamura