Lateral movement attack chain

Classification:

attack

Tactic:

TA0008-lateral-movement

Technique:

T1563-remote-service-session-hijacking

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect lateral movement attacks by correlating multiple indicators of network traversal and post-compromise activity within the same execution context.

Strategy

This correlation rule identifies lateral movement operations by detecting combinations of the following activity groups:

  • Remote Access Tools: SSH sessions, outbound SSH connections, tmate usage, or rogue SSM Agent registration used for remote access
  • Credential Harvesting: Credential discovery tools (for example, trufflehog), cloud IMDS access (AWS, Azure, GCP), EKS service account token access, or kubeconfig reads
  • Network Reconnaissance: Kubernetes DNS enumeration, IP lookup domains, network intrusion utilities, sniffing tools, or offensive Kubernetes tools
  • System Enumeration: Container breakout enumeration, image enumeration, debugfs in container, or execution of discovery commands (for example, whoami, lsmod)

The rule triggers different severity levels based on the combination of detected activities:

CaseSeverityCondition
Comprehensive Lateral MovementCriticalRemote Access Tools, Credential Harvesting, Network Reconnaissance, and System Enumeration
Credential-Based Lateral Movement (interactive)HighRemote Access Tools and Credential Harvesting (interactive session)
Reconnaissance and Access (interactive)HighNetwork Reconnaissance and Remote Access Tools (interactive session)
Credential-Based Lateral MovementMediumRemote Access Tools and Credential Harvesting
Reconnaissance and AccessMediumNetwork Reconnaissance and Remote Access Tools
Enumeration with AccessMediumSystem Enumeration and Remote Access Tools

Triage & Response

  1. Isolate source system: Immediately isolate the affected host and container (or pod) to prevent further movement.

  2. Terminate remote access: Stop the impacted process(es) and close all remote access sessions.

  3. Block network connections: Block access to identified destination IPs and monitor for additional connection attempts.

  4. Assess credential compromise: Identify all accessed credentials, cloud metadata, and Kubernetes configurations.

  5. Map reconnaissance findings: Analyze what systems and services were discovered during network enumeration.

  6. Reset compromised credentials: Reset all potentially compromised credentials, API keys, and service account tokens.

  7. Hunt for additional compromised systems: Search for lateral movement to other systems using the same credentials or session identity.

  8. Review access patterns: Analyze authentication logs and access patterns to identify the full scope of compromise.

  9. Implement network segmentation: Deploy additional network controls to limit future lateral movement capabilities.