GitHub - esecrpm/Get-LateralMovement: This script will accept the mounted drive or full path to an evidence source and process relevant forensic artifacts for evidence of lateral movement.

The Get-LateralMovement.ps1 script is based on the SANS Hunt Evil ("blue") poster and was created to process relevant event log, registry, and file system artifacts for evidence of lateral movement.

The script accepts a mounted drive or full path to an evidence source. This source can be a drive image mounted with Arsenal Image Mounter, a mounted VHDX file created by KAPE, or the local C: drive of the running system.

The output path must be supplied on the command line and the script uses Eric Zimmerman's Tools to create CSV output that can be parsed or reviewed for evidence of lateral movement. The path to the tools directory is specified by the $Tools variable in the script and must be changed to match the specific path on your analysis machine or USB device.

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
EventLogs-LateralMovement.tkape		EventLogs-LateralMovement.tkape
Get-LateralMovement.ps1		Get-LateralMovement.ps1
Get-LateralMovement_AsJobs.ps1		Get-LateralMovement_AsJobs.ps1
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

About

Releases

Packages

Languages

esecrpm/Get-LateralMovement

Folders and files

Latest commit

History

Repository files navigation

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages