Deprecated - Remote File Creation on a Sensitive Directory

calendar Apr 1, 2024 · Domain: Endpoint Use Case: Lateral Movement Detection Tactic: Lateral Movement Data Source: Elastic Defend  ·
Share on: linkedin copy

Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these directories could indicate a malicious binary or script trying to compromise the system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/12"
 3integration = ["endpoint"]
 4maturity = "deprecated"
 5deprecation_date = "2024/04/01"
 6min_stack_comments = "Avoding rule duplication for <= 8.8 stack versions"
 7min_stack_version = "8.9.0"
 8updated_date = "2024/04/01"
 9
10[rule]
11author = ["Elastic"]
12description = """
13Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these
14directories could indicate a malicious binary or script trying to compromise the system.
15"""
16from = "now-10m"
17index = ["logs-endpoint.events.*"]
18interval = "5m"
19language = "eql"
20license = "Elastic License v2"
21name = "Deprecated - Remote File Creation on a Sensitive Directory"
22references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"]
23risk_score = 47
24rule_id = "2377946d-0f01-4957-8812-6878985f515d"
25severity = "medium"
26tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31file where event.action in ("creation", "modification") and
32  not user.name:("SYSTEM", "root") and
33  process.name in ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and
34  (
35    file.path : (
36        "?:\\Users\\*\\AppData\\Roaming*", "?:\\Program Files*",
37        "?:\\Windows\\*", "?:\\Windows\\System\\*",
38        "?:\\Windows\\System32\\*", "/etc/*", "/tmp*",
39        "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*",
40        "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*",
41        "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*",
42        "/lib/systemd/*"
43    )
44)
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1210"
52name = "Exploitation of Remote Services"
53reference = "https://attack.mitre.org/techniques/T1210/"
54
55
56[rule.threat.tactic]
57id = "TA0008"
58name = "Lateral Movement"
59reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top