{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/elastic/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","rdp","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the potential for lateral movement within a network facilitated by an unusual spike in Remote Desktop Protocol (RDP) connections originating from a single source IP address. This activity is detected using an Elastic machine learning job designed to identify anomalies in network connection patterns. The rule \u0026ldquo;Spike in Number of Connections Made from a Source IP\u0026rdquo; leverages this ML job to flag instances where a single host initiates RDP connections to a significantly higher than normal number of distinct destination IPs, potentially indicating that an attacker is attempting to pivot and gain access to additional systems after compromising an initial foothold. This detection mechanism is available in Elastic Security 9.4.0 and later, with the Lateral Movement Detection integration assets installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to a host within the network through methods such as phishing, exploiting a vulnerability, or credential theft.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEstablish Foothold:\u003c/strong\u003e The attacker establishes a foothold on the compromised system, potentially installing tools for reconnaissance and lateral movement.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Reconnaissance:\u003c/strong\u003e The attacker performs internal reconnaissance to identify potential target systems accessible via RDP.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRDP Connection Attempts:\u003c/strong\u003e The attacker initiates RDP connections to a large number of internal IP addresses from the compromised host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Harvesting:\u003c/strong\u003e The attacker attempts to harvest credentials from the targeted systems to gain further access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker successfully connects to additional systems using RDP, leveraging harvested or stolen credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e On newly accessed systems, the attacker attempts to escalate privileges to gain administrative control.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Completion:\u003c/strong\u003e With broader access and elevated privileges, the attacker achieves their objective, which may include data exfiltration, ransomware deployment, or disruption of services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eIf successful, this lateral movement can result in widespread compromise across the targeted network. A single compromised host can serve as a launching point to access sensitive data, critical systems, and ultimately, inflict significant damage. The \u0026ldquo;Spike in Number of Connections Made from a Source IP\u0026rdquo; rule aims to detect these lateral movement attempts early, minimizing potential damage. The impact of a successful attack could range from data breaches and financial losses to operational disruption and reputational damage, affecting organizations across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable host IP collection if using Elastic Defend (versions 8.18 and above), by following the configuration steps outlined in the Elastic documentation to ensure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the \u003ca href=\"https://docs.elastic.co/en/integrations/lmd\"\u003eofficial Elastic documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the false positive analysis steps within the detection rule\u0026rsquo;s documentation. Whitelist known administrative IPs or legitimate RDP usage patterns to minimize noise.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface as recommended in the rule\u0026rsquo;s response and remediation guidance.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-spike-in-rdp-connections/","summary":"A machine learning job detected a high count of destination IPs establishing RDP connections with a single source IP, indicating potential lateral movement attempts after initial compromise.","title":"Spike in Number of RDP Connections from a Single Source IP","url":"https://feed.craftedsignal.io/briefs/2024-01-spike-in-rdp-connections/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement within a network by flagging unusual remote file transfers to directories that are not commonly monitored. Attackers often leverage less scrutinized file paths to evade standard security measures and deploy malicious payloads. This detection relies on the \u0026ldquo;lmd_rare_file_path_remote_transfer_ea\u0026rdquo; machine learning job within Elastic Security, which analyzes file and Windows RDP process events to identify anomalous file transfers based on the destination directory. The detection is part of the Lateral Movement Detection integration and requires Elastic Defend and Fleet for full functionality. This is important for defenders because attackers will try to blend in with normal file transfer activity by using uncommon directories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the network (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target host for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a remote service (e.g., RDP, SMB) to connect to the target host.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to transfer malicious files to the target host.\u003c/li\u003e\n\u003cli\u003eInstead of using common directories like \u0026ldquo;C:\\Windows\\Temp\u0026rdquo; or \u0026ldquo;C:\\ProgramData\u0026rdquo;, the attacker chooses a less monitored directory to evade detection.\u003c/li\u003e\n\u003cli\u003eThe remote service is leveraged to perform the file transfer to the atypical directory.\u003c/li\u003e\n\u003cli\u003eThe transferred file is then executed, potentially leading to command execution or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective (e.g., data exfiltration, ransomware deployment) on the target host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, compromise of critical systems, and potential disruption of business operations. Although this detection is rated as low severity, successful lateral movement can lead to significant damage. The number of affected hosts and the severity of the impact depends on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture. Lateral movement allows attackers to gain a deeper foothold within the network and increase the scope of their malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated in Elastic Defend events by following the configuration steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003eElastic documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eTune the anomaly_threshold in the machine learning job configuration based on your environment\u0026rsquo;s baseline activity to minimize false positives, as mentioned in the rule\u0026rsquo;s configuration.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, paying close attention to the source and destination IP addresses, the user account involved, and the specific directory used for the file transfer as outlined in the \u003ca href=\"#triage-and-analysis\"\u003etriage and analysis section\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-unusual-remote-file-directory/","summary":"An Elastic machine learning job detects anomalous remote file transfers to unusual directories, indicating potential lateral movement by attackers attempting to bypass standard security monitoring.","title":"Unusual Remote File Directory Lateral Movement Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-22-unusual-remote-file-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief focuses on a detection rule from Elastic\u0026rsquo;s Lateral Movement Detection (LMD) integration that utilizes machine learning to identify unusual remote file transfers. The rule, \u0026ldquo;Unusual Remote File Extension,\u0026rdquo; is designed to detect anomalies in file transfers, specifically those involving rare file extensions, which could be indicative of lateral movement within a network. This rule leverages the \u003ccode\u003elmd_rare_file_extension_remote_transfer_ea\u003c/code\u003e machine learning job ID. The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. The rule operates by analyzing \u003ccode\u003ehost.ip\u003c/code\u003e and detecting anomalies in file transfers, where host IP collection needs to be enabled on Elastic Defend versions 8.18 and above.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems using remote services like RDP or SMB.\u003c/li\u003e\n\u003cli\u003eAs part of the lateral movement, the attacker transfers tools or files to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a rare or uncommon file extension for the transferred files, potentially to evade detection based on known file types.\u003c/li\u003e\n\u003cli\u003eThe file transfer occurs over the network, triggering file event logs on the source and destination systems.\u003c/li\u003e\n\u003cli\u003eElastic Defend, with host IP collection enabled, monitors these file events and forwards the data to the Elastic Security platform.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Unusual Remote File Extension\u0026rdquo; machine learning job identifies the transfer of a file with a rare extension, comparing it against historical data.\u003c/li\u003e\n\u003cli\u003eIf the file extension is deemed anomalous based on its rarity, the rule triggers, indicating potential lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack can allow an adversary to gain access to sensitive data, critical systems, or privileged accounts. By using uncommon file extensions, attackers attempt to bypass security measures that rely on identifying known file types. This can lead to undetected malware deployment, data exfiltration, or further compromise of the network. Though this rule is of low severity, it can provide an early warning signal to stop an attack before greater damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the \u003ccode\u003ehost.ip\u003c/code\u003e field within Elastic Defend configurations (versions 8.18 and above) to ensure proper data collection for the machine learning job.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets within Kibana as per the provided setup instructions to activate the \u0026ldquo;Unusual Remote File Extension\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job to reduce false positives, considering your organization\u0026rsquo;s typical file transfer patterns.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Remote File Extension Transfer\u0026rdquo; Sigma rule to identify file transfers with rare extensions using process creation logs.\u003c/li\u003e\n\u003cli\u003eReview the triage and analysis steps in the rule\u0026rsquo;s documentation to effectively investigate and respond to triggered alerts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-unusual-remote-file-extension/","summary":"An Elastic machine learning rule detects unusual remote file transfers with rare extensions, potentially indicating lateral movement activity on a host and suggesting adversaries bypassing security measures.","title":"Unusual Remote File Extension Detected via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-03-unusual-remote-file-extension/"}],"language":"en","title":"CraftedSignal Threat Feed — Elastic","version":"https://jsonfeed.org/version/1.1"}