Spike in Number of Connections Made from a Source IP
editSpike in Number of Connections Made from a Source IP
editA machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of valuable assets, data, or further access points.
Rule type: machine_learning
Rule indices: None
Severity: low
Risk score: 21
Runs every: 15m
Searches indices from: now-12h (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Use Case: Lateral Movement Detection
- Rule Type: ML
- Rule Type: Machine Learning
- Tactic: Lateral Movement
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
Lateral Movement Detection Setup
The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic’s Anomaly Detection feature.
Prerequisite Requirements:
- Fleet is required for Lateral Movement Detection.
- To configure Fleet Server refer to the documentation.
- Windows RDP process events collected by the Elastic Defend integration.
- To install Elastic Defend, refer to the documentation.
The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
- Go to the Kibana homepage. Under Management, click Integrations.
- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
- Follow the instructions under the Installation section.
- For this rule to work, complete the instructions through Add preconfigured anomaly detection jobs.
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/