https://feed.craftedsignal.io/tags/elastic/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 30 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-spike-in-rdp-connections/Tue, 30 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-spike-in-rdp-connections/A machine learning job detected a high count of destination IPs establishing RDP connections with a single source IP, indicating potential lateral movement attempts after initial compromise.This threat brief addresses the potential for lateral movement within a network facilitated by an unusual spike in Remote Desktop Protocol (RDP) connections originating from a single source IP address. This activity is detected using an Elastic machine learning job designed to identify anomalies in network connection patterns. The rule “Spike in Number of Connections Made from a Source IP” leverages this ML job to flag instances where a single host initiates RDP connections to a significantly higher than normal number of distinct destination IPs, potentially indicating that an attacker is attempting to pivot and gain access to additional systems after compromising an initial foothold. This detection mechanism is available in Elastic Security 9.4.0 and later, with the Lateral Movement Detection integration assets installed.

Attack Chain

1. Initial Compromise: An attacker gains initial access to a host within the network through methods such as phishing, exploiting a vulnerability, or credential theft.
2. Establish Foothold: The attacker establishes a foothold on the compromised system, potentially installing tools for reconnaissance and lateral movement.
3. Internal Reconnaissance: The attacker performs internal reconnaissance to identify potential target systems accessible via RDP.
4. RDP Connection Attempts: The attacker initiates RDP connections to a large number of internal IP addresses from the compromised host.
5. Credential Harvesting: The attacker attempts to harvest credentials from the targeted systems to gain further access.
6. Lateral Movement: The attacker successfully connects to additional systems using RDP, leveraging harvested or stolen credentials.
7. Privilege Escalation: On newly accessed systems, the attacker attempts to escalate privileges to gain administrative control.
8. Objective Completion: With broader access and elevated privileges, the attacker achieves their objective, which may include data exfiltration, ransomware deployment, or disruption of services.

Impact

If successful, this lateral movement can result in widespread compromise across the targeted network. A single compromised host can serve as a launching point to access sensitive data, critical systems, and ultimately, inflict significant damage. The “Spike in Number of Connections Made from a Source IP” rule aims to detect these lateral movement attempts early, minimizing potential damage. The impact of a successful attack could range from data breaches and financial losses to operational disruption and reputational damage, affecting organizations across various sectors.

Recommendation

• Enable host IP collection if using Elastic Defend (versions 8.18 and above), by following the configuration steps outlined in the Elastic documentation to ensure the host.ip field is populated.
• Install the Lateral Movement Detection integration assets as described in the official Elastic documentation.
• Review and tune the false positive analysis steps within the detection rule’s documentation. Whitelist known administrative IPs or legitimate RDP usage patterns to minimize noise.
• Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface as recommended in the rule’s response and remediation guidance.

]]>lowadvisorylateral-movementrdpelastichttps://feed.craftedsignal.io/briefs/2024-01-22-unusual-remote-file-directory/Mon, 22 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-22-unusual-remote-file-directory/An Elastic machine learning job detects anomalous remote file transfers to unusual directories, indicating potential lateral movement by attackers attempting to bypass standard security monitoring.This detection identifies potential lateral movement within a network by flagging unusual remote file transfers to directories that are not commonly monitored. Attackers often leverage less scrutinized file paths to evade standard security measures and deploy malicious payloads. This detection relies on the “lmd_rare_file_path_remote_transfer_ea” machine learning job within Elastic Security, which analyzes file and Windows RDP process events to identify anomalous file transfers based on the destination directory. The detection is part of the Lateral Movement Detection integration and requires Elastic Defend and Fleet for full functionality. This is important for defenders because attackers will try to blend in with normal file transfer activity by using uncommon directories.

Attack Chain

1. The attacker gains initial access to a system within the network (e.g., via phishing or exploitation of a vulnerability).
2. The attacker identifies a target host for lateral movement.
3. The attacker uses a remote service (e.g., RDP, SMB) to connect to the target host.
4. The attacker attempts to transfer malicious files to the target host.
5. Instead of using common directories like “C:\Windows\Temp” or “C:\ProgramData”, the attacker chooses a less monitored directory to evade detection.
6. The remote service is leveraged to perform the file transfer to the atypical directory.
7. The transferred file is then executed, potentially leading to command execution or privilege escalation.
8. The attacker achieves their objective (e.g., data exfiltration, ransomware deployment) on the target host.

Impact

A successful attack can lead to unauthorized access to sensitive data, compromise of critical systems, and potential disruption of business operations. Although this detection is rated as low severity, successful lateral movement can lead to significant damage. The number of affected hosts and the severity of the impact depends on the attacker’s objectives and the organization’s security posture. Lateral movement allows attackers to gain a deeper foothold within the network and increase the scope of their malicious activities.

Recommendation

• Ensure the host.ip field is populated in Elastic Defend events by following the configuration steps in the Elastic documentation.
• Install the Lateral Movement Detection integration assets as described in the setup instructions.
• Tune the anomaly_threshold in the machine learning job configuration based on your environment’s baseline activity to minimize false positives, as mentioned in the rule’s configuration.
• Investigate any alerts generated by this rule, paying close attention to the source and destination IP addresses, the user account involved, and the specific directory used for the file transfer as outlined in the triage and analysis section.

]]>lowadvisorylateral-movementmachine-learningelastichttps://feed.craftedsignal.io/briefs/2024-01-03-unusual-remote-file-extension/Wed, 03 Jan 2024 15:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-unusual-remote-file-extension/An Elastic machine learning rule detects unusual remote file transfers with rare extensions, potentially indicating lateral movement activity on a host and suggesting adversaries bypassing security measures.This brief focuses on a detection rule from Elastic’s Lateral Movement Detection (LMD) integration that utilizes machine learning to identify unusual remote file transfers. The rule, “Unusual Remote File Extension,” is designed to detect anomalies in file transfers, specifically those involving rare file extensions, which could be indicative of lateral movement within a network. This rule leverages the lmd_rare_file_extension_remote_transfer_ea machine learning job ID. The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. The rule operates by analyzing host.ip and detecting anomalies in file transfers, where host IP collection needs to be enabled on Elastic Defend versions 8.18 and above.

Attack Chain

1. An attacker gains initial access to a system within the network.
2. The attacker attempts to move laterally to other systems using remote services like RDP or SMB.
3. As part of the lateral movement, the attacker transfers tools or files to the remote system.
4. The attacker uses a rare or uncommon file extension for the transferred files, potentially to evade detection based on known file types.
5. The file transfer occurs over the network, triggering file event logs on the source and destination systems.
6. Elastic Defend, with host IP collection enabled, monitors these file events and forwards the data to the Elastic Security platform.
7. The “Unusual Remote File Extension” machine learning job identifies the transfer of a file with a rare extension, comparing it against historical data.
8. If the file extension is deemed anomalous based on its rarity, the rule triggers, indicating potential lateral movement.

Impact

A successful lateral movement attack can allow an adversary to gain access to sensitive data, critical systems, or privileged accounts. By using uncommon file extensions, attackers attempt to bypass security measures that rely on identifying known file types. This can lead to undetected malware deployment, data exfiltration, or further compromise of the network. Though this rule is of low severity, it can provide an early warning signal to stop an attack before greater damage occurs.

Recommendation

• Enable the host.ip field within Elastic Defend configurations (versions 8.18 and above) to ensure proper data collection for the machine learning job.
• Install the Lateral Movement Detection integration assets within Kibana as per the provided setup instructions to activate the “Unusual Remote File Extension” rule.
• Tune the anomaly threshold of the machine learning job to reduce false positives, considering your organization’s typical file transfer patterns.
• Deploy the “Detect Remote File Extension Transfer” Sigma rule to identify file transfers with rare extensions using process creation logs.
• Review the triage and analysis steps in the rule’s documentation to effectively investigate and respond to triggered alerts.

]]>lowadvisorylateral-movementmachine-learningelastic