Skip to content

Add windows.lateralmove plugin - lateral movement detection#1986

Open
cybernerdphil wants to merge 1 commit into
volatilityfoundation:developfrom
cybernerdphil:feature/windows/-lateralmove
Open

Add windows.lateralmove plugin - lateral movement detection#1986
cybernerdphil wants to merge 1 commit into
volatilityfoundation:developfrom
cybernerdphil:feature/windows/-lateralmove

Conversation

@cybernerdphil
Copy link
Copy Markdown

@cybernerdphil cybernerdphil commented May 22, 2026

Summary

Adds a new plugin windows.lateralmove that detects lateral movement
indicators in Windows memory images across three detection modules.

Detection modules

Module 1 — Suspicious parent-child process relationships
Flags known lateral movement execution chains including:

  • WMI execution (WmiPrvSE.exe spawning any child)
  • PsExec / remote service creation (services.exe spawning shells)
  • DCOM execution (dllhost.exe, mmc.exe spawning shells)
  • Scheduled task abuse (taskeng.exe, svchost.exe spawning shells)
  • Proxy/tunnel tools spawned by browsers (e.g. firefox.exe → tor.exe)

Parent-child combos are hardcoded by default but can be overridden
via a user-supplied JSON config file (--lateralmove.config-file).

Module 2 — Suspicious network connections
Flags processes with connections on lateral movement ports:

  • SMB (445, 139), RPC/DCOM (135), WinRM (5985, 5986)
  • lsass.exe with any outbound connection
  • Non-browser processes connecting on HTTP/S (80, 443)

Module 3 — Token and session anomalies
Flags session ID mismatches where:

  • Parent is not a known session-bridging process
  • Child is a shell or script interpreter
    This avoids the normal session 0 → session 1/2 pattern seen with
    svchost, services, smss and other legitimate Windows components.

Real-world validation

Tested against a Windows memory image (ADF-1_memdump.mem).
Plugin correctly identified tor.exe (PID 5440) spawned by firefox.exe
(PID 7040) with zero false positives after session bridge filtering.

Output columns

PID | PPID | Process | Parent | CmdLine | Technique | MITRE

API compatibility

Verified against Volatility 2.27.0:

  • pslist.PsList._version = (3, 0, 1)
  • netscan.NetScan._version = (2, 0, 0)
  • Correct use of kernel_module_name parameter throughout
  • Uses NetScan.create_netscan_symbol_table() + NetScan.scan()

Tests

40 unit tests covering all three detection modules, session bridge
logic, config loading, and edge cases.

Run with:
python -m unittest volatility3.plugins.windows.test_lateralmove -v

Usage

python vol.py -f memory.dmp windows.lateralmove

# With custom parent-child combos
python vol.py -f memory.dmp windows.lateralmove \
    --lateralmove.config-file custom_combos.json

Custom config format:
{
"winword

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cybernerdphil