Lateral Movement alerts detect suspicious movement between internal systems to uncover adversaries already in your network. These detections cover remote system access (inc. RDP), remote data access (inc. via network shares), and access token manipulation (inc. pass-the-hash attacks).
Identify the source and target system involved in the network connection
Identify the account used to initiate the connection. Sometimes, there is one account that initiates an action as a second account. This is common in SSH connections.
Lateral movement threats by definition involve some sort of connection set up between two systems. Identity the connection protocol used. Common examples include:
In many cases of lateral movement, you'll have the ability to identify or infer the tool used to make a connection. Often, the tool will be a common program or utility either preinstalled or installed by a user. Common examples include:
1. How are the accounts involved typically used?
Understanding what the accounts involved in this activity typically do can provide strong indications that this activity is more likely than not to be expected.
2. Was the connection initiated interactively or not?
Interactive actions are ones taken by a person who is often typing commands or using GUI applications. Reviewing command histories or process trees can often indicate if a person is interacting with the system or if some programmatic process is initiating activity. One giveaway is if a command is being executed too efficiently as it often indicates it wasn't a person typing the commands. People make mistakes and are generally not optimally efficient with their tasks. Often, you'll be more suspicious of programmatic actions, especially if they are actions you don't see happening frequently in your environment.
Additionally, consider if the account was used in an expected way. A user account performing actions programmatically could be suspicious.
Helpdesk admin connecting from their workstation to another user's workstation via RDP
The direction is important here. The Helpdesk admin connecting from a workstation that isn’t their own is suspicious.
Management servers connecting to systems to update software or backup data
Legitimate IT system management tools often get flagged for suspicious activity such as remote file copying. These services often are connecting to many systems and typically use a dedicated service account.
Admin has created a network share to access files from multiple users in the network
IT and application admins often need to move data around a network and may setup a network share to do so.
Developer remotely accessing a development server via RDP or SSH
Developers routinely log into development and pre-production systems to perform their job duties. This connection might come from their workstation or, sometimes, from a dedicated jump server where a developer will first connect to the jump server then connect from the jump server to the final target server.
If there isn't an obvious reason why this activity is expected, it might be time to either escalate to a more senior analyst or start executing your incident response plan.
Common initial response actions can include: