Malicious Remote File Creation

calendar Dec 20, 2023 · Domain: Endpoint Use Case: Lateral Movement Detection Tactic: Lateral Movement Data Source: Elastic Defend  ·
Share on: linkedin copy

Malicious remote file creation, which can be an indicator of lateral movement activity.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/12"
 3deprecation_date = "2023/12/14"
 4integration = ["endpoint"]
 5maturity = "deprecated"
 6min_stack_comments = "Avoiding rule duplication for <= 8.8 stack versions"
 7min_stack_version = "8.9.0"
 8updated_date = "2023/12/14"
 9
10[rule]
11author = ["Elastic"]
12description = "Malicious remote file creation, which can be an indicator of lateral movement activity."
13from = "now-10m"
14index = ["logs-endpoint.events.*"]
15interval = "5m"
16language = "eql"
17license = "Elastic License v2"
18name = "Malicious Remote File Creation"
19references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"]
20risk_score = 99
21rule_id = "301571f3-b316-4969-8dd0-7917410030d3"
22severity = "critical"
23tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
24type = "eql"
25
26query = '''
27sequence by host.name
28[file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
29[file where event.category == "malware" or event.category == "intrusion_detection"
30and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
31'''
32
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36[[rule.threat.technique]]
37id = "T1210"
38name = "Exploitation of Remote Services"
39reference = "https://attack.mitre.org/techniques/T1210/"
40
41
42[rule.threat.tactic]
43id = "TA0008"
44name = "Lateral Movement"
45reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top