Spike in Number of Connections Made to a Destination IP

A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets detected and blocked.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/10/12"
  3integration = ["lmd", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 70
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination
 12IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets
 13detected and blocked.
 14"""
 15from = "now-12h"
 16interval = "15m"
 17license = "Elastic License v2"
 18machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination"
 19name = "Spike in Number of Connections Made to a Destination IP"
 20references = [
 21    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 22    "https://docs.elastic.co/en/integrations/lmd",
 23    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
 24    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
 25]
 26risk_score = 21
 27rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc"
 28setup = """## Setup
 29
 30The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
 31
 32### Lateral Movement Detection Setup
 33The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
 34
 35#### Prerequisite Requirements:
 36- Fleet is required for Lateral Movement Detection.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
 39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 40
 41#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Lateral Movement Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Lateral Movement",
 53    "Resources: Investigation Guide",
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Spike in Number of Connections Made to a Destination IP
 62
 63Remote Desktop Protocol (RDP) is crucial for remote management and troubleshooting in IT environments. However, adversaries exploit RDP by using multiple compromised IPs to overwhelm a target, ensuring persistence even if some IPs are blocked. The detection rule leverages machine learning to identify unusual spikes in RDP connections to a single IP, signaling potential lateral movement attempts by attackers.
 64
 65### Possible investigation steps
 66
 67- Review the list of source IPs that have established RDP connections to the destination IP to identify any known malicious or suspicious IP addresses.
 68- Check historical data for the destination IP to determine if it has been targeted in previous attacks or if it is a high-value asset within the network.
 69- Analyze the timing and frequency of the RDP connections to identify any unusual patterns or spikes that could indicate coordinated activity.
 70- Investigate the user accounts associated with the RDP connections to ensure they are legitimate and have not been compromised.
 71- Correlate the detected activity with any other security alerts or logs to identify potential lateral movement or further exploitation attempts within the network.
 72
 73### False positive analysis
 74
 75- Routine administrative tasks may trigger false positives if multiple IT staff connect to a server for maintenance. Consider creating exceptions for known administrative IPs.
 76- Automated scripts or monitoring tools that frequently connect to servers for health checks can cause spikes. Identify and exclude these IPs from the rule.
 77- Load balancers or proxy servers that aggregate connections from multiple clients might appear as a spike. Exclude these devices from the detection rule.
 78- Scheduled software updates or deployments that require multiple connections to a server can be mistaken for an attack. Whitelist the IPs involved in these processes.
 79- Internal network scans or vulnerability assessments conducted by security teams can generate high connection counts. Ensure these activities are recognized and excluded.
 80
 81### Response and remediation
 82
 83- Immediately isolate the affected destination IP from the network to prevent further unauthorized RDP connections and potential lateral movement.
 84- Conduct a thorough review of the logs and network traffic associated with the destination IP to identify all source IPs involved in the spike and assess the scope of the compromise.
 85- Block all identified malicious source IPs at the firewall or network perimeter to prevent further connections to the destination IP.
 86- Reset credentials and enforce multi-factor authentication for accounts that were accessed via RDP to mitigate unauthorized access.
 87- Perform a security assessment of the affected systems to identify any signs of compromise or unauthorized changes, and restore systems from clean backups if necessary.
 88- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or networks are affected.
 89- Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes in the future, ensuring quick identification and response to potential threats."""
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1210"
 94name = "Exploitation of Remote Services"
 95reference = "https://attack.mitre.org/techniques/T1210/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0008"
100name = "Lateral Movement"
101reference = "https://attack.mitre.org/tactics/TA0008/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Remote Desktop Protocol (RDP) is crucial for remote management and troubleshooting in IT environments. However, adversaries exploit RDP by using multiple compromised IPs to overwhelm a target, ensuring persistence even if some IPs are blocked. The detection rule leverages machine learning to identify unusual spikes in RDP connections to a single IP, signaling potential lateral movement attempts by attackers.

  • Review the list of source IPs that have established RDP connections to the destination IP to identify any known malicious or suspicious IP addresses.
  • Check historical data for the destination IP to determine if it has been targeted in previous attacks or if it is a high-value asset within the network.
  • Analyze the timing and frequency of the RDP connections to identify any unusual patterns or spikes that could indicate coordinated activity.
  • Investigate the user accounts associated with the RDP connections to ensure they are legitimate and have not been compromised.
  • Correlate the detected activity with any other security alerts or logs to identify potential lateral movement or further exploitation attempts within the network.
  • Routine administrative tasks may trigger false positives if multiple IT staff connect to a server for maintenance. Consider creating exceptions for known administrative IPs.
  • Automated scripts or monitoring tools that frequently connect to servers for health checks can cause spikes. Identify and exclude these IPs from the rule.
  • Load balancers or proxy servers that aggregate connections from multiple clients might appear as a spike. Exclude these devices from the detection rule.
  • Scheduled software updates or deployments that require multiple connections to a server can be mistaken for an attack. Whitelist the IPs involved in these processes.
  • Internal network scans or vulnerability assessments conducted by security teams can generate high connection counts. Ensure these activities are recognized and excluded.
  • Immediately isolate the affected destination IP from the network to prevent further unauthorized RDP connections and potential lateral movement.
  • Conduct a thorough review of the logs and network traffic associated with the destination IP to identify all source IPs involved in the spike and assess the scope of the compromise.
  • Block all identified malicious source IPs at the firewall or network perimeter to prevent further connections to the destination IP.
  • Reset credentials and enforce multi-factor authentication for accounts that were accessed via RDP to mitigate unauthorized access.
  • Perform a security assessment of the affected systems to identify any signs of compromise or unauthorized changes, and restore systems from clean backups if necessary.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or networks are affected.
  • Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes in the future, ensuring quick identification and response to potential threats.

References

Related rules

to-top