High Mean of Process Arguments in an RDP Session

A machine learning job has detected unusually high number of process arguments in an RDP session. Executing sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms, redirection and piping, which in turn increases the number of arguments in a command.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/12"
 3integration = ["lmd", "endpoint"]
 4maturity = "production"
 5min_stack_comments = "LMD package job ID and rule removal updates"
 6min_stack_version = "8.9.0"
 7updated_date = "2023/12/12"
 8
 9[rule]
10anomaly_threshold = 70
11author = ["Elastic"]
12description = """
13A machine learning job has detected unusually high number of process arguments in an RDP session. Executing
14sophisticated attacks such as lateral movement can involve the use of complex commands, obfuscation mechanisms,
15redirection and piping, which in turn increases the number of arguments in a command.
16"""
17from = "now-12h"
18interval = "15m"
19license = "Elastic License v2"
20machine_learning_job_id = "lmd_high_mean_rdp_process_args"
21name = "High Mean of Process Arguments in an RDP Session"
22setup = """
23The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.  
24
25### Lateral Movement Detection Setup
26The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
27
28#### Prerequisite Requirements:
29- Fleet is required for Lateral Movement Detection.
30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
31- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
32- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
33
34#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
35- Go to the Kibana homepage. Under Management, click Integrations.
36- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
37- Under Settings, click Install Lateral Movement Detection assets and follow the prompts to install the assets.
38
39#### Anomaly Detection Setup
40Before you can enable rules for Lateral Movement Detection, you'll need to enable the corresponding Anomaly Detection jobs.
41- Before enabling the Anomaly Detection jobs, confirm that the Pivot Transform asset is installed and actively gathering data in the destination index `ml-rdp-lmd`.
42- Go to the Kibana homepage. Under Analytics, click Machine Learning.
43- Under Anomaly Detection, click Jobs, and then click "Create job". Select the Data View containing your transformed RDP process data i.e.`ml-rdp-lmd`.
44- If the selected Data View contains events that match the query in [this](https://github.com/elastic/integrations/blob/main/packages/lmd/kibana/ml_module/lmd-ml.json) configuration file, you will see a card for Lateral Movement Detection under "Use preconfigured jobs".
45- Keep the default settings and click "Create jobs" to start the anomaly detection jobs and datafeeds.
46"""
47references = [
48    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
49    "https://docs.elastic.co/en/integrations/lmd",
50    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
51    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
52]
53risk_score = 21
54rule_id = "36c48a0c-c63a-4cbc-aee1-8cac87db31a9"
55severity = "low"
56tags = [
57    "Use Case: Lateral Movement Detection",
58    "Rule Type: ML",
59    "Rule Type: Machine Learning",
60    "Tactic: Lateral Movement",
61]
62type = "machine_learning"
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1210"
67name = "Exploitation of Remote Services"
68reference = "https://attack.mitre.org/techniques/T1210/"
69
70
71[rule.threat.tactic]
72id = "TA0008"
73name = "Lateral Movement"
74reference = "https://attack.mitre.org/tactics/TA0008/"

References

Related rules

to-top