Lateral movement attack chain
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect lateral movement attacks by correlating multiple indicators of network traversal and post-compromise activity within the same execution context.
Strategy
This correlation rule identifies lateral movement operations by detecting combinations of the following activity groups:
- Remote Access Tools: SSH sessions, outbound SSH connections, tmate usage, or rogue SSM Agent registration used for remote access
- Credential Harvesting: Credential discovery tools (for example, trufflehog), cloud IMDS access (AWS, Azure, GCP), EKS service account token access, or kubeconfig reads
- Network Reconnaissance: Kubernetes DNS enumeration, IP lookup domains, network intrusion utilities, sniffing tools, or offensive Kubernetes tools
- System Enumeration: Container breakout enumeration, image enumeration, debugfs in container, or execution of discovery commands (for example, whoami, lsmod)
The rule triggers different severity levels based on the combination of detected activities:
| Case | Severity | Condition |
|---|
| Comprehensive Lateral Movement | Critical | Remote Access Tools, Credential Harvesting, Network Reconnaissance, and System Enumeration |
| Credential-Based Lateral Movement (interactive) | High | Remote Access Tools and Credential Harvesting (interactive session) |
| Reconnaissance and Access (interactive) | High | Network Reconnaissance and Remote Access Tools (interactive session) |
| Credential-Based Lateral Movement | Medium | Remote Access Tools and Credential Harvesting |
| Reconnaissance and Access | Medium | Network Reconnaissance and Remote Access Tools |
| Enumeration with Access | Medium | System Enumeration and Remote Access Tools |
Triage & Response
Isolate source system: Immediately isolate the affected host and container (or pod) to prevent further movement.
Terminate remote access: Stop the impacted process(es) and close all remote access sessions.
Block network connections: Block access to identified destination IPs and monitor for additional connection attempts.
Assess credential compromise: Identify all accessed credentials, cloud metadata, and Kubernetes configurations.
Map reconnaissance findings: Analyze what systems and services were discovered during network enumeration.
Reset compromised credentials: Reset all potentially compromised credentials, API keys, and service account tokens.
Hunt for additional compromised systems: Search for lateral movement to other systems using the same credentials or session identity.
Review access patterns: Analyze authentication logs and access patterns to identify the full scope of compromise.
Implement network segmentation: Deploy additional network controls to limit future lateral movement capabilities.
