Unusual Remote File Directory Lateral Movement Detection

This detection identifies potential lateral movement within a network by flagging unusual remote file transfers to directories that are not commonly monitored. Attackers often leverage less scrutinized file paths to evade standard security measures and deploy malicious payloads. This detection relies on the “lmd_rare_file_path_remote_transfer_ea” machine learning job within Elastic Security, which analyzes file and Windows RDP process events to identify anomalous file transfers based on the destination directory. The detection is part of the Lateral Movement Detection integration and requires Elastic Defend and Fleet for full functionality. This is important for defenders because attackers will try to blend in with normal file transfer activity by using uncommon directories.

Attack Chain

1. The attacker gains initial access to a system within the network (e.g., via phishing or exploitation of a vulnerability).
2. The attacker identifies a target host for lateral movement.
3. The attacker uses a remote service (e.g., RDP, SMB) to connect to the target host.
4. The attacker attempts to transfer malicious files to the target host.
5. Instead of using common directories like “C:\Windows\Temp” or “C:\ProgramData”, the attacker chooses a less monitored directory to evade detection.
6. The remote service is leveraged to perform the file transfer to the atypical directory.
7. The transferred file is then executed, potentially leading to command execution or privilege escalation.
8. The attacker achieves their objective (e.g., data exfiltration, ransomware deployment) on the target host.

Impact

A successful attack can lead to unauthorized access to sensitive data, compromise of critical systems, and potential disruption of business operations. Although this detection is rated as low severity, successful lateral movement can lead to significant damage. The number of affected hosts and the severity of the impact depends on the attacker’s objectives and the organization’s security posture. Lateral movement allows attackers to gain a deeper foothold within the network and increase the scope of their malicious activities.

Recommendation

• Ensure the host.ip field is populated in Elastic Defend events by following the configuration steps in the Elastic documentation.
• Install the Lateral Movement Detection integration assets as described in the setup instructions.
• Tune the anomaly_threshold in the machine learning job configuration based on your environment’s baseline activity to minimize false positives, as mentioned in the rule’s configuration.
• Investigate any alerts generated by this rule, paying close attention to the source and destination IP addresses, the user account involved, and the specific directory used for the file transfer as outlined in the triage and analysis section.