Unusual Remote File Size

  1[metadata]
  2creation_date = "2023/10/12"
  3integration = ["lmd", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 70
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral
 12movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate
 13valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data
 14into a single large file transfer.
 15"""
 16from = "now-90m"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "lmd_high_file_size_remote_file_transfer"
 20name = "Unusual Remote File Size"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/lmd",
 24    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
 25    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
 26]
 27risk_score = 21
 28rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131"
 29setup = """## Setup
 30
 31The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
 32
 33### Lateral Movement Detection Setup
 34The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
 35
 36#### Prerequisite Requirements:
 37- Fleet is required for Lateral Movement Detection.
 38- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 39- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
 40- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 41
 42#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 43- Go to the Kibana homepage. Under Management, click Integrations.
 44- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
 45- Follow the instructions under the **Installation** section.
 46- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 47"""
 48severity = "low"
 49tags = [
 50    "Use Case: Lateral Movement Detection",
 51    "Rule Type: ML",
 52    "Rule Type: Machine Learning",
 53    "Tactic: Lateral Movement",
 54    "Resources: Investigation Guide",
 55]
 56type = "machine_learning"
 57note = """## Triage and analysis
 58
 59> **Disclaimer**:
 60> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 61
 62### Investigating Unusual Remote File Size
 63Machine learning models in security environments analyze file transfer patterns to identify anomalies, such as unusually large files shared remotely. Adversaries exploit this by aggregating data into large files to avoid detection during lateral movement. The 'Unusual Remote File Size' rule leverages ML to flag these anomalies, aiding in early detection of potential data exfiltration activities.
 64
 65### Possible investigation steps
 66
 67- Review the alert details to identify the specific remote host and file size involved in the anomaly.
 68- Check the historical file transfer patterns of the identified remote host to determine if this large file size is truly unusual.
 69- Investigate the contents and purpose of the large file, if accessible, to assess whether it contains sensitive or valuable information.
 70- Analyze network logs to trace the origin and destination of the file transfer, looking for any unauthorized or suspicious connections.
 71- Correlate the event with other security alerts or logs to identify any concurrent suspicious activities that might indicate lateral movement or data exfiltration.
 72- Verify the user account associated with the file transfer to ensure it has not been compromised or misused.
 73
 74### False positive analysis
 75
 76- Large file transfers related to legitimate business operations, such as backups or data migrations, can trigger false positives. Users should identify and whitelist these routine activities to prevent unnecessary alerts.
 77- Software updates or patches distributed across the network may also appear as unusually large file transfers. Establishing a baseline for expected file sizes during these updates can help in distinguishing them from potential threats.
 78- Remote file sharing services used for collaboration might generate alerts if large files are shared frequently. Monitoring and excluding these services from the rule can reduce false positives.
 79- Automated data processing tasks that involve transferring large datasets between systems should be documented and excluded from the rule to avoid false alarms.
 80- Regularly review and update the list of known safe hosts and services that are permitted to transfer large files, ensuring that only legitimate activities are excluded from detection.
 81
 82### Response and remediation
 83
 84- Isolate the affected host immediately to prevent further lateral movement and potential data exfiltration. Disconnect it from the network to contain the threat.
 85- Conduct a thorough analysis of the large file transfer to determine its contents and origin. Verify if sensitive data was included and assess the potential impact.
 86- Review and terminate any unauthorized remote sessions or connections identified during the investigation to prevent further exploitation.
 87- Reset credentials and review access permissions for the affected host and any associated accounts to mitigate the risk of compromised credentials being used for further attacks.
 88- Implement network segmentation to limit the ability of attackers to move laterally within the network, reducing the risk of similar incidents in the future.
 89- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation actions are taken.
 90- Enhance monitoring and logging for unusual file transfer activities and remote access attempts to improve early detection of similar threats in the future."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1210"
 95name = "Exploitation of Remote Services"
 96reference = "https://attack.mitre.org/techniques/T1210/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0008"
101name = "Lateral Movement"
102reference = "https://attack.mitre.org/tactics/TA0008/"