Unusual Process Writing Data to an External Device
A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/22"
3integration = ["ded", "endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8anomaly_threshold = 75
9author = ["Elastic"]
10description = """
11A machine learning job has detected a rare process writing data to an external device. Malicious actors often use
12benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no
13legitimate reason to write data to external devices can indicate exfiltration.
14"""
15from = "now-2h"
16interval = "15m"
17license = "Elastic License v2"
18machine_learning_job_id = "ded_rare_process_writing_to_external_device"
19name = "Unusual Process Writing Data to an External Device"
20references = [
21 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
22 "https://docs.elastic.co/en/integrations/ded",
23 "https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration",
24]
25risk_score = 21
26rule_id = "4b95ecea-7225-4690-9938-2a2c0bad9c99"
27setup = """## Setup
28
29The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
30
31### Data Exfiltration Detection Setup
32The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic's Anomaly Detection feature.
33
34#### Prerequisite Requirements:
35- Fleet is required for Data Exfiltration Detection.
36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
37- File events collected by the Elastic Defend integration.
38- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
39
40#### The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
41- Go to the Kibana homepage. Under Management, click Integrations.
42- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
43- Follow the instructions under the **Installation** section.
44- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
45"""
46severity = "low"
47tags = [
48 "Use Case: Data Exfiltration Detection",
49 "Rule Type: ML",
50 "Rule Type: Machine Learning",
51 "Tactic: Exfiltration",
52 "Resources: Investigation Guide",
53]
54type = "machine_learning"
55note = """## Triage and analysis
56
57> **Disclaimer**:
58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
59
60### Investigating Unusual Process Writing Data to an External Device
61
62In modern environments, processes may write data to external devices for legitimate reasons, such as backups or data transfers. However, adversaries can exploit this by using seemingly harmless processes to exfiltrate sensitive data. The detection rule leverages machine learning to identify rare processes engaging in such activities, flagging potential exfiltration attempts by analyzing deviations from typical behavior patterns.
63
64### Possible investigation steps
65
66- Review the process name and path to determine if it is commonly associated with legitimate activities or known software.
67- Check the user account associated with the process to verify if it has the necessary permissions and if the activity aligns with the user's typical behavior.
68- Analyze the external device's details, such as its type and connection history, to assess if it is a recognized and authorized device within the organization.
69- Investigate the volume and type of data being written to the external device to identify any sensitive or unusual data transfers.
70- Correlate the process activity with other security events or logs to identify any concurrent suspicious activities or anomalies.
71- Consult with the user or department associated with the process to confirm if the data transfer was authorized and necessary.
72
73### False positive analysis
74
75- Backup processes may trigger alerts when writing data to external devices. Users should identify and whitelist legitimate backup applications to prevent false positives.
76- Data transfer applications used for legitimate business purposes can be flagged. Regularly review and approve these applications to ensure they are not mistakenly identified as threats.
77- Software updates or installations that involve writing data to external devices might be detected. Establish a list of known update processes and exclude them from triggering alerts.
78- IT maintenance activities, such as system diagnostics or hardware testing, can cause false positives. Document and exclude these routine processes to avoid unnecessary alerts.
79- User-initiated file transfers for legitimate reasons, such as moving large datasets for analysis, should be monitored and approved to prevent misclassification.
80
81### Response and remediation
82
83- Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat.
84- Identify and terminate the suspicious process writing data to the external device to stop any ongoing exfiltration activities.
85- Conduct a forensic analysis of the affected system to determine the scope of the data exfiltration, including what data was accessed or transferred.
86- Review and revoke any compromised credentials or access permissions associated with the affected process to prevent unauthorized access.
87- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
88- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or related suspicious activities.
89- Update security policies and controls to prevent similar exfiltration attempts, such as restricting process permissions to write to external devices and enhancing endpoint protection measures."""
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1052"
94name = "Exfiltration Over Physical Medium"
95reference = "https://attack.mitre.org/techniques/T1052/"
96
97
98[rule.threat.tactic]
99id = "TA0010"
100name = "Exfiltration"
101reference = "https://attack.mitre.org/tactics/TA0010/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual Process Writing Data to an External Device
In modern environments, processes may write data to external devices for legitimate reasons, such as backups or data transfers. However, adversaries can exploit this by using seemingly harmless processes to exfiltrate sensitive data. The detection rule leverages machine learning to identify rare processes engaging in such activities, flagging potential exfiltration attempts by analyzing deviations from typical behavior patterns.
Possible investigation steps
- Review the process name and path to determine if it is commonly associated with legitimate activities or known software.
- Check the user account associated with the process to verify if it has the necessary permissions and if the activity aligns with the user's typical behavior.
- Analyze the external device's details, such as its type and connection history, to assess if it is a recognized and authorized device within the organization.
- Investigate the volume and type of data being written to the external device to identify any sensitive or unusual data transfers.
- Correlate the process activity with other security events or logs to identify any concurrent suspicious activities or anomalies.
- Consult with the user or department associated with the process to confirm if the data transfer was authorized and necessary.
False positive analysis
- Backup processes may trigger alerts when writing data to external devices. Users should identify and whitelist legitimate backup applications to prevent false positives.
- Data transfer applications used for legitimate business purposes can be flagged. Regularly review and approve these applications to ensure they are not mistakenly identified as threats.
- Software updates or installations that involve writing data to external devices might be detected. Establish a list of known update processes and exclude them from triggering alerts.
- IT maintenance activities, such as system diagnostics or hardware testing, can cause false positives. Document and exclude these routine processes to avoid unnecessary alerts.
- User-initiated file transfers for legitimate reasons, such as moving large datasets for analysis, should be monitored and approved to prevent misclassification.
Response and remediation
- Immediately isolate the affected system from the network to prevent further data exfiltration and contain the threat.
- Identify and terminate the suspicious process writing data to the external device to stop any ongoing exfiltration activities.
- Conduct a forensic analysis of the affected system to determine the scope of the data exfiltration, including what data was accessed or transferred.
- Review and revoke any compromised credentials or access permissions associated with the affected process to prevent unauthorized access.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat or related suspicious activities.
- Update security policies and controls to prevent similar exfiltration attempts, such as restricting process permissions to write to external devices and enhancing endpoint protection measures.
References
Related rules
- Potential Data Exfiltration Activity to an Unusual Destination Port
- Potential Data Exfiltration Activity to an Unusual IP Address
- Potential Data Exfiltration Activity to an Unusual ISO Code
- Potential Data Exfiltration Activity to an Unusual Region
- Spike in Bytes Sent to an External Device