CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Network Security

Silverfort Open Sources Lateral Movement Detection Tool

Silverfort has released the source code for its lateral movement detection tool LATMA, to help identify and analyze intrusions.

Identity protection provider Silverfort has announced the open source release of a lateral movement detection tool.

Called LATMA (Lateral Movement Analyzer), the tool was designed to collect authentication logs from domain and Active Directory (AD) environments and to deliver a report on the identified patterns.

The tool consists of two modules, namely a collector, which gathers logs from domain controllers and endpoints, and an analyzer, which outputs a report with diagrams, based on the collected logs.

LATMA, Silverfort says, has significantly improved its ability to detect lateral movement, providing a 95% accuracy in flagging suspicious behavior.

The tool’s collector module scans for NTLM authentication logs on domain controllers and for Kerberos authentication logs on endpoints, and harvests sign-in logs from Azure AD. For that, it requires specific port access and necessary permissions.

The analyzer module is fed the authentication data as a spreadsheet and starts searching for suspicious activity using a defined lateral movement algorithm.

LATMA, Silverfort explains, uses the collected information to build a graph representing the network, which depicts endpoints and authentication events. After analyzing the authentication patterns, it builds a sub-graph depicting the abnormal behavior, and generates alerts.

At first, LATMA monitors normal behavior of the users and machines, so it can differentiate between normal and suspicious behavior once the learning period has ended. No alerts are issued during this period.

Advertisement. Scroll to continue reading.

The tool also generates indicators of compromise (IoCs) associated with the identified suspicious behavior, such as a user account that authenticates to multiple machines in a short period of time, or which authenticates from one machine to another, in sequence.

“LATMA generates an alert when at least two of these patterns happen in sequence. For example, if the attacker searches for a target machine to advance to and then successfully advances to it, the algorithm generates an alert,” Silverfort explains.

Related: Google Open Sources Binary File Comparison Tool BinDiff

Related: MITRE and CISA Release Open Source Tool for OT Attack Emulation

Related: NCC Group Releases Open Source Tools for Developers, Pentesters

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...