Lateral movement attack chain

Classification:

attack

Tactic:

TA0008-lateral-movement

Technique:

T1563-remote-service-session-hijacking

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect lateral movement attacks by correlating multiple indicators of network traversal and post-compromise activity within the same execution context.

Strategy

This correlation rule identifies lateral movement operations by detecting combinations of the following activity groups:

  • Remote Access Tools: SSH sessions, outbound SSH connections, tmate usage, or rogue SSM Agent registration used for remote access
  • Credential Harvesting: Credential discovery tools (for example, trufflehog), cloud IMDS access (AWS, Azure, GCP), EKS service account token access, or kubeconfig reads
  • Network Reconnaissance: Kubernetes DNS enumeration, IP lookup domains, network intrusion utilities, sniffing tools, or offensive Kubernetes tools
  • System Enumeration: Container breakout enumeration, image enumeration, debugfs in container, or execution of discovery commands (for example, whoami, lsmod)

The rule triggers different severity levels based on the combination of detected activities:

CaseSeverityCondition
Comprehensive Lateral MovementCriticalRemote Access Tools, Credential Harvesting, Network Reconnaissance, and System Enumeration
Credential-Based Lateral Movement (interactive)HighRemote Access Tools and Credential Harvesting (interactive session)
Reconnaissance and Access (interactive)HighNetwork Reconnaissance and Remote Access Tools (interactive session)
Credential-Based Lateral MovementMediumRemote Access Tools and Credential Harvesting
Reconnaissance and AccessMediumNetwork Reconnaissance and Remote Access Tools
Enumeration with AccessMediumSystem Enumeration and Remote Access Tools

Triage & Response

  1. Isolate source system: Immediately isolate the affected host and container (or pod) to prevent further movement.

  2. Terminate remote access: Stop the impacted process(es) and close all remote access sessions.

  3. Block network connections: Block access to identified destination IPs and monitor for additional connection attempts.

  4. Assess credential compromise: Identify all accessed credentials, cloud metadata, and Kubernetes configurations.

  5. Map reconnaissance findings: Analyze what systems and services were discovered during network enumeration.

  6. Reset compromised credentials: Reset all potentially compromised credentials, API keys, and service account tokens.

  7. Hunt for additional compromised systems: Search for lateral movement to other systems using the same credentials or session identity.

  8. Review access patterns: Analyze authentication logs and access patterns to identify the full scope of compromise.

  9. Implement network segmentation: Deploy additional network controls to limit future lateral movement capabilities.