Deprecated - Remote File Creation on a Sensitive Directory
Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these directories could indicate a malicious binary or script trying to compromise the system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/12"
3integration = ["endpoint"]
4maturity = "deprecated"
5deprecation_date = "2024/04/01"
6min_stack_comments = "Avoding rule duplication for <= 8.8 stack versions"
7min_stack_version = "8.9.0"
8updated_date = "2024/04/01"
9
10[rule]
11author = ["Elastic"]
12description = """
13Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these
14directories could indicate a malicious binary or script trying to compromise the system.
15"""
16from = "now-10m"
17index = ["logs-endpoint.events.*"]
18interval = "5m"
19language = "eql"
20license = "Elastic License v2"
21name = "Deprecated - Remote File Creation on a Sensitive Directory"
22references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"]
23risk_score = 47
24rule_id = "2377946d-0f01-4957-8812-6878985f515d"
25severity = "medium"
26tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31file where event.action in ("creation", "modification") and
32 not user.name:("SYSTEM", "root") and
33 process.name in ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and
34 (
35 file.path : (
36 "?:\\Users\\*\\AppData\\Roaming*", "?:\\Program Files*",
37 "?:\\Windows\\*", "?:\\Windows\\System\\*",
38 "?:\\Windows\\System32\\*", "/etc/*", "/tmp*",
39 "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*",
40 "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*",
41 "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*",
42 "/lib/systemd/*"
43 )
44)
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1210"
52name = "Exploitation of Remote Services"
53reference = "https://attack.mitre.org/techniques/T1210/"
54
55
56[rule.threat.tactic]
57id = "TA0008"
58name = "Lateral Movement"
59reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- Malicious Remote File Creation
- Potential Privilege Escalation via Enlightenment
- Privilege Escalation via CAP_CHOWN/CAP_FOWNER Capabilities
- Privilege Escalation via GDB CAP_SYS_PTRACE
- Process Capability Enumeration