1. Overview

Lateral movement incidents indicate that an attacker is using tools and techniques that enable movement between resources on a network.

2. Investigation

The following incident shows that netcat was used to establish a listener on port 9000.

lateral movement incident

This behavior is a probable precursor to creating a reverse shell, allowing network-based remote control of another resource.

Your investigation should focus on:

  • Determining how the process in the alert, such as nc.openbsd, was executed. Review additional entries in Incident Explorer and other audits from the source, looking for unusual process execution, hijacked processes, and explicit execution of commands.

  • Reviewing container runtime audits to determine if the target successfully connected.

  • If the target did successfully connect, determine what the attacker was able to do and if they were able to move further through the network.

3. Mitigation

After determining the cause of the process execution, resolve the problem, whether it be an exposed vulnerability, a configuration issue, or something else.

For additional protection, enable the prevent or block actions in the applicable runtime rules to take action when anomalous processes, such as netcat, are executed.