Triggers
- The detection results from the observation of two closed sessions where an internal host is attacking another internal host by uploading a payload which causes the destination host to connect back to the initial host to download additional stages of software
Possible Root Causes
- The initial host is transmitting an exploit to a destination host which runs a stage loader and connects back to the initial host to load the rest of the malware necessary for the attacker to make progress toward their goal
- Bidirectional transaction-based protocols where commands or requests are issued over one port/protocol and data is returned shortly thereafter over another port/protocol can also trigger the detection—common protocols which behave in this manner include the WinRM 2.0 Framework (used for Windows remote management), PostgreSQL, and SNPP (Simple Network Paging Protocol)
Business Impact
- Lateral movement within a network expands an attacker’s footprint and exposes an organization to substantial risk of data acquisition and exfiltration
- Lateral movement through exploits or leveraging stolen credentials is involved in almost all high-profile breaches
- The destination host which is attacked provides a possible perspective on the potential business impact
Steps to Verify
- Determine whether there is any reason for the two hosts involved in a stage loading sequence to be communicating with each other
- Check to see whether any connections between the initial and destination host (in either direction) persist after the stage loading sequence
- Run all available endpoint checks on both the initial and the destination host to check for unwanted malware, but realize that fileless malware will typically escape detection