Cisco ISE Alert Details
Alert ID: ISE-RDP-LATERAL-1021-7842 Alert Time: 2024-03-11 16:30:45 EST Severity: HIGH (85/100) Source: Cisco Identity Services Engine (ISE) Rule: “Unusual RDP Connection – Potential Lateral Movement” MITRE ATT&CK: T1021.001 – Remote Services: Remote Desktop Protocol
Alert Details:
Detection: RDP connection from non-admin workstation to critical server
Connection Details:
Source: 192.168.45.78 (ENG-WS-045 – Engineering Workstation)
Destination: 192.168.10.10 (DC-01 – Domain Controller)
User: rpatel@company.com (Engineer – not IT admin)
Time: 16:25-16:30 EST
Protocol: RDP (TCP/3389)
Session Duration: 5 minutes
Contextual Anomalies:
User rpatel has no business need for RDP to DC
Engineering workstations should not connect to domain controllers
Time of day: 16:25 (unusual)
Multiple RDP connections to other servers in last hour:
15:45 – RDP to FILESRV-01 (file server)
16:00 – RDP to SQL-SRV-01 (SQL server)
16:15 – RDP to WEB-SRV-01 (web server)
16:25 – RDP to DC-01 (domain controller)
Detection Logic:
Lateral movement pattern (RDP hopping)
User escalating privileges by accessing more critical systems
Engineer accessing domain controller (highly anomalous)
Pattern matches attacker moving laterally to gain domain admin access
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Cisco ISE alert
ISE Console, AD Logs
Confirmed anomalous RDP connections
2. Source Investigation
Check ENG-WS-045
CrowdStrike Falcon
Host compromised (Cobalt Strike)
3. Immediate Action
Isolate ENG-WS-045
CrowdStrike
Source host quarantined
4. Destination Check
Verify DC-01 status
CrowdStrike Falcon
DC-01 not compromised (yet)
5. Account Remediation
Disable rpatel account
Azure AD, AD
Account disabled; password reset
6. Threat Hunting
Check for other RDP connections
ISE, Splunk
No other anomalous connections found
Jira Incident Report
Ticket: SOC-2024-204 Summary: T1021.001 – RDP Lateral Movement from Compromised Engineering Host to DC Status: RESOLVED Resolution: MALICIOUS – Lateral Movement Stopped Priority: P1 – CRITICAL Labels: T1021, rdp, lateral-movement, cisco-ise, compromised-host Components: Network-Security, Endpoint-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Cisco Identity Services Engine (ISE).
Alert: “Unusual RDP Connection – Potential Lateral Movement”.
Source: ENG-WS-045 (Engineering, IP 192.168.45.78).
Destinations: FILESRV-01, SQL-SRV-01, WEB-SRV-01, DC-01.
User: rpatel@company.com (compromised).
Time: 2024-03-11 16:30 EST.
Technique: MITRE ATT&CK T1021.001 – Remote Services: Remote Desktop Protocol.
2. Technical Analysis:
Attack Chain:
15:00 – rpatel account compromised via phishing
15:15 – Attacker logs into ENG-WS-045 via RDP (from external)
15:30 – Attacker enumerates network, identifies targets
15:45 – RDP to FILESRV-01 (file server)
16:00 – RDP to SQL-SRV-01 (SQL server)
16:15 – RDP to WEB-SRV-01 (web server)
16:25 – RDP to DC-01 (domain controller)
16:30 – ISE detects
Lateral Movement Pattern:
FILESRV-01: Attacker checked for sensitive files (none stolen)
SQL-SRV-01: Attacker enumerated databases (schema only)
WEB-SRV-01: Attacker checked web configs (found no credentials)
DC-01: Attacker attempted to enable WMI for persistence (blocked)
Attacker Intent:
Move laterally to gain access to domain controller
Escalate privileges to domain admin
Establish persistence for ransomware
3. Investigation Findings:
Timeline:
15:00 – Account compromised
15:15 – Attacker logs into ENG-WS-045
15:45-16:25 – RDP hopping
16:30 – Alert
16:32 – SOC investigates
16:33 – ENG-WS-045 isolated
16:34 – rpatel account disabled
Indicators of Compromise (IoCs):
Network:
– RDP from ENG-WS-045 (192.168.45.78) to multiple servers
Account:
– rpatel (compromised)
Host:
– ENG-WS-045 (Cobalt Strike beacon)
4. Containment Actions:
Immediate Actions:
Isolated ENG-WS-045.
Disabled rpatel account.
Reset password.
Verified no compromise on destination servers.
Removed any created persistence.
Network Remediation:
Restricted RDP to DC from specific admin jump hosts only.
Enhanced monitoring for RDP to critical servers.
Host Remediation:
Reimaged ENG-WS-045.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing RDP lateral movement.
Contributing Factors:
No MFA on account.
RDP allowed from any internal host to critical servers.
No network segmentation.
6. Business Impact:
Operational Impact: Engineering host offline; multiple servers accessed.
Data Exposure: No data stolen.
7. Remediation & Prevention:
Completed Actions:
Lateral movement stopped.
Account secured.
Hosts verified clean.
Technical Controls Enhanced:
Enforced MFA for all users.
Implemented network segmentation.
Restricted RDP to critical servers.
Enhanced monitoring for RDP connections.
8. Conclusion:
An attacker used a compromised engineering account to perform RDP lateral movement across multiple servers, culminating in an attempt to access the domain controller. ISE detected the anomalous RDP pattern and enabled isolation before domain compromise.
Closure Rationale: Lateral movement stopped; account secured; DC not compromised.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 17:30 EST