Spike in Number of Connections Made from a Source IP

  1[metadata]
  2creation_date = "2023/10/12"
  3integration = ["lmd", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 70
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source
 12IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of
 13valuable assets, data, or further access points.
 14"""
 15from = "now-12h"
 16interval = "15m"
 17license = "Elastic License v2"
 18machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source"
 19name = "Spike in Number of Connections Made from a Source IP"
 20references = [
 21    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 22    "https://docs.elastic.co/en/integrations/lmd",
 23    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
 24    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
 25]
 26risk_score = 21
 27rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61"
 28setup = """## Setup
 29
 30The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
 31
 32### Lateral Movement Detection Setup
 33The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
 34
 35#### Prerequisite Requirements:
 36- Fleet is required for Lateral Movement Detection.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
 39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 40
 41#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Lateral Movement Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Lateral Movement",
 53    "Resources: Investigation Guide",
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Spike in Number of Connections Made from a Source IP
 62
 63Remote Desktop Protocol (RDP) is a common tool for remote management, but adversaries exploit it for lateral movement within networks. By establishing numerous connections from a single IP, attackers seek to expand their access. This detection rule leverages machine learning to identify unusual spikes in RDP connections, signaling potential unauthorized access attempts, and aids in early threat identification.
 64
 65### Possible investigation steps
 66
 67- Review the source IP address to determine if it is a known or trusted entity within the network.
 68- Analyze the list of destination IPs to identify any unusual or unauthorized systems being accessed.
 69- Check the timestamps of the connections to see if they align with expected activity patterns or occur during unusual hours.
 70- Investigate the user account associated with the RDP connections to verify if it has been compromised or is being misused.
 71- Correlate the spike in connections with any recent changes or incidents in the network that might explain the activity.
 72- Examine network logs and RDP session logs for any signs of suspicious behavior or anomalies during the connection attempts.
 73
 74### False positive analysis
 75
 76- Routine administrative tasks can trigger spikes in RDP connections. Regularly scheduled maintenance or software updates may cause a high number of connections from a single IP. To manage this, identify and whitelist IPs associated with known administrative activities.
 77- Automated scripts or tools used for network management might establish multiple RDP connections. Review and document these tools, then create exceptions for their IP addresses to prevent false alerts.
 78- Load balancers or proxy servers can appear as a single source IP making numerous connections. Verify the network architecture and exclude these IPs from the rule to avoid misidentification.
 79- Security scans or vulnerability assessments conducted by internal teams can result in a spike of connections. Coordinate with security teams to recognize these activities and exclude their IPs from triggering the rule.
 80- Remote work solutions or VPNs might centralize connections through a single IP, leading to false positives. Identify these IPs and adjust the rule to accommodate legitimate remote access patterns.
 81
 82### Response and remediation
 83
 84- Isolate the affected system immediately to prevent further lateral movement within the network. Disconnect it from the network or place it in a quarantine VLAN.
 85- Terminate any unauthorized RDP sessions originating from the identified source IP to halt ongoing unauthorized access attempts.
 86- Conduct a thorough review of the affected system for signs of compromise, including checking for unauthorized user accounts, changes in system configurations, and the presence of malware or suspicious files.
 87- Reset credentials for any accounts accessed via the compromised system to prevent further unauthorized access using stolen credentials.
 88- Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface for lateral movement.
 89- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
 90- Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes, ensuring early detection of future attempts."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1210"
 95name = "Exploitation of Remote Services"
 96reference = "https://attack.mitre.org/techniques/T1210/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0008"
101name = "Lateral Movement"
102reference = "https://attack.mitre.org/tactics/TA0008/"