High Mean of Process Arguments in an RDP Session

A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/10/12"
  3integration = ["lmd", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 70
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected unusually high number of process arguments in an RDP session. Executing
 12sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms,
 13redirection and piping, which in turn increases the number of arguments in a command.
 14"""
 15from = "now-12h"
 16interval = "15m"
 17license = "Elastic License v2"
 18machine_learning_job_id = "lmd_high_mean_rdp_process_args"
 19name = "High Mean of Process Arguments in an RDP Session"
 20references = [
 21    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 22    "https://docs.elastic.co/en/integrations/lmd",
 23    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
 24    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
 25]
 26risk_score = 21
 27rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9"
 28setup = """## Setup
 29
 30The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
 31
 32### Lateral Movement Detection Setup
 33The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
 34
 35#### Prerequisite Requirements:
 36- Fleet is required for Lateral Movement Detection.
 37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 38- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
 39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 40
 41#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Lateral Movement Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Lateral Movement",
 53    "Resources: Investigation Guide",
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating High Mean of Process Arguments in an RDP Session
 62
 63Remote Desktop Protocol (RDP) facilitates remote access to systems, often targeted by adversaries for lateral movement. Attackers may exploit RDP by executing complex commands with numerous arguments to obfuscate their actions. The detection rule leverages machine learning to identify anomalies in process arguments, flagging potential misuse indicative of sophisticated attacks.
 64
 65### Possible investigation steps
 66
 67- Review the specific RDP session details, including the source and destination IP addresses, to identify any unusual or unauthorized access patterns.
 68- Analyze the process arguments flagged by the machine learning model to determine if they include known malicious commands or patterns indicative of obfuscation or redirection.
 69- Check the user account associated with the RDP session for any signs of compromise, such as recent password changes or login attempts from unusual locations.
 70- Correlate the alert with other security events or logs, such as firewall logs or intrusion detection system alerts, to identify any related suspicious activities or lateral movement attempts.
 71- Investigate the historical behavior of the involved systems and users to determine if the high number of process arguments is an anomaly or part of a regular pattern.
 72
 73### False positive analysis
 74
 75- Routine administrative tasks may generate a high number of process arguments, such as batch scripts or automated maintenance operations. Users can create exceptions for known scripts or processes that are regularly executed by trusted administrators.
 76- Software updates or installations often involve complex commands with multiple arguments. To mitigate false positives, users should whitelist update processes from trusted vendors.
 77- Monitoring and management tools that perform extensive logging or diagnostics can trigger this rule. Users should identify and exclude these tools if they are verified as non-threatening.
 78- Custom applications or scripts developed in-house may use numerous arguments for configuration purposes. Users should document and exclude these applications if they are part of normal business operations.
 79- Scheduled tasks that run during off-hours might appear suspicious due to their complexity. Users can adjust the rule to ignore these tasks if they are part of a regular, approved schedule.
 80
 81### Response and remediation
 82
 83- Isolate the affected system from the network to prevent further lateral movement and potential data exfiltration.
 84- Terminate any suspicious RDP sessions and associated processes that exhibit high numbers of arguments to halt ongoing malicious activities.
 85- Conduct a thorough review of the affected system's event logs and process execution history to identify any unauthorized access or changes made during the RDP session.
 86- Reset credentials for any accounts that were accessed during the suspicious RDP session to prevent unauthorized access using compromised credentials.
 87- Apply security patches and updates to the affected system and any other systems within the network to mitigate vulnerabilities that could be exploited for similar attacks.
 88- Enhance monitoring and logging for RDP sessions across the network to detect and respond to similar anomalies more quickly in the future.
 89- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised."""
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1210"
 94name = "Exploitation of Remote Services"
 95reference = "https://attack.mitre.org/techniques/T1210/"
 96
 97
 98[rule.threat.tactic]
 99id = "TA0008"
100name = "Lateral Movement"
101reference = "https://attack.mitre.org/tactics/TA0008/"
...
toml

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Remote Desktop Protocol (RDP) facilitates remote access to systems, often targeted by adversaries for lateral movement. Attackers may exploit RDP by executing complex commands with numerous arguments to obfuscate their actions. The detection rule leverages machine learning to identify anomalies in process arguments, flagging potential misuse indicative of sophisticated attacks.

  • Review the specific RDP session details, including the source and destination IP addresses, to identify any unusual or unauthorized access patterns.
  • Analyze the process arguments flagged by the machine learning model to determine if they include known malicious commands or patterns indicative of obfuscation or redirection.
  • Check the user account associated with the RDP session for any signs of compromise, such as recent password changes or login attempts from unusual locations.
  • Correlate the alert with other security events or logs, such as firewall logs or intrusion detection system alerts, to identify any related suspicious activities or lateral movement attempts.
  • Investigate the historical behavior of the involved systems and users to determine if the high number of process arguments is an anomaly or part of a regular pattern.
  • Routine administrative tasks may generate a high number of process arguments, such as batch scripts or automated maintenance operations. Users can create exceptions for known scripts or processes that are regularly executed by trusted administrators.
  • Software updates or installations often involve complex commands with multiple arguments. To mitigate false positives, users should whitelist update processes from trusted vendors.
  • Monitoring and management tools that perform extensive logging or diagnostics can trigger this rule. Users should identify and exclude these tools if they are verified as non-threatening.
  • Custom applications or scripts developed in-house may use numerous arguments for configuration purposes. Users should document and exclude these applications if they are part of normal business operations.
  • Scheduled tasks that run during off-hours might appear suspicious due to their complexity. Users can adjust the rule to ignore these tasks if they are part of a regular, approved schedule.
  • Isolate the affected system from the network to prevent further lateral movement and potential data exfiltration.
  • Terminate any suspicious RDP sessions and associated processes that exhibit high numbers of arguments to halt ongoing malicious activities.
  • Conduct a thorough review of the affected system's event logs and process execution history to identify any unauthorized access or changes made during the RDP session.
  • Reset credentials for any accounts that were accessed during the suspicious RDP session to prevent unauthorized access using compromised credentials.
  • Apply security patches and updates to the affected system and any other systems within the network to mitigate vulnerabilities that could be exploited for similar attacks.
  • Enhance monitoring and logging for RDP sessions across the network to detect and respond to similar anomalies more quickly in the future.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised.

References

Related rules

to-top