Lateral movement is a dangerous threat in the landscape of highly integrated technologies. If attackers gain access to an endpoint, it’s critical for security teams to identify any and all movements they make. To combat this threat, Elastic Security is excited to announce a new lateral movement detection package that makes use of advanced analytics.
In the past, we explored how we can detect malicious lateral file transfers using commonly abused admin tools, such as SAMBA, SMB/PS Remoting, FTP, SFTP, SSH, and SCP. But we wanted to explore further how to detect fileless malware that attackers use to hijack and compromise systems like the execution of malicious processes and the exploitation of remote services and sessions.
Adversaries frequently try to compromise active Remote Desktop Protocol (RDP) sessions to launch malicious code or gain access to other hosts in the network. In the 8.9 release, we introduce additional anomaly detection jobs and rules in this package capable of detecting lateral movement attacks for the most commonly abused operating system feature: Windows RDP.
This blog post gives a high-level overview of our technique to detect malicious RDP sessions and provides a breakdown of the steps to enable the assets under this package.