---
title: Lateral movement attack chain
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Lateral movement attack chain
---

# Lateral movement attack chain
Classification:attackTactic:[TA0008-lateral-movement](https://attack.mitre.org/tactics/TA0008)Technique:[T1563-remote-service-session-hijacking](https://attack.mitre.org/techniques/T1563) 
## Goal{% #goal %}

Detect lateral movement attacks by correlating multiple indicators of network traversal and post-compromise activity within the same execution context.

## Strategy{% #strategy %}

This correlation rule identifies lateral movement operations by detecting combinations of the following activity groups:

- **Remote Access Tools**: SSH sessions, outbound SSH connections, tmate usage, or rogue SSM Agent registration used for remote access
- **Credential Harvesting**: Credential discovery tools (for example, trufflehog), cloud IMDS access (AWS, Azure, GCP), EKS service account token access, or kubeconfig reads
- **Network Reconnaissance**: Kubernetes DNS enumeration, IP lookup domains, network intrusion utilities, sniffing tools, or offensive Kubernetes tools
- **System Enumeration**: Container breakout enumeration, image enumeration, debugfs in container, or execution of discovery commands (for example, whoami, lsmod)

The rule triggers different severity levels based on the combination of detected activities:

| Case                                            | Severity | Condition                                                                                  |
| ----------------------------------------------- | -------- | ------------------------------------------------------------------------------------------ |
| Comprehensive Lateral Movement                  | Critical | Remote Access Tools, Credential Harvesting, Network Reconnaissance, and System Enumeration |
| Credential-Based Lateral Movement (interactive) | High     | Remote Access Tools and Credential Harvesting (interactive session)                        |
| Reconnaissance and Access (interactive)         | High     | Network Reconnaissance and Remote Access Tools (interactive session)                       |
| Credential-Based Lateral Movement               | Medium   | Remote Access Tools and Credential Harvesting                                              |
| Reconnaissance and Access                       | Medium   | Network Reconnaissance and Remote Access Tools                                             |
| Enumeration with Access                         | Medium   | System Enumeration and Remote Access Tools                                                 |

## Triage & Response{% #triage--response %}

1. **Isolate source system**: Immediately isolate the affected host and container (or pod) to prevent further movement.

1. **Terminate remote access**: Stop the impacted process(es) and close all remote access sessions.

1. **Block network connections**: Block access to identified destination IPs and monitor for additional connection attempts.

1. **Assess credential compromise**: Identify all accessed credentials, cloud metadata, and Kubernetes configurations.

1. **Map reconnaissance findings**: Analyze what systems and services were discovered during network enumeration.

1. **Reset compromised credentials**: Reset all potentially compromised credentials, API keys, and service account tokens.

1. **Hunt for additional compromised systems**: Search for lateral movement to other systems using the same credentials or session identity.

1. **Review access patterns**: Analyze authentication logs and access patterns to identify the full scope of compromise.

1. **Implement network segmentation**: Deploy additional network controls to limit future lateral movement capabilities.