Unusual Remote File Directory
An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/12"
3integration = ["lmd", "endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8anomaly_threshold = 70
9author = ["Elastic"]
10description = """
11An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral
12movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so
13attackers might use less common directories to bypass monitoring.
14"""
15from = "now-90m"
16interval = "15m"
17license = "Elastic License v2"
18machine_learning_job_id = "lmd_rare_file_path_remote_transfer"
19name = "Unusual Remote File Directory"
20references = [
21 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
22 "https://docs.elastic.co/en/integrations/lmd",
23 "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
24 "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
25]
26risk_score = 21
27rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751"
28setup = """## Setup
29
30The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
31
32### Lateral Movement Detection Setup
33The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
34
35#### Prerequisite Requirements:
36- Fleet is required for Lateral Movement Detection.
37- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
38- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
39- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
40
41#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
42- Go to the Kibana homepage. Under Management, click Integrations.
43- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
44- Follow the instructions under the **Installation** section.
45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
46"""
47severity = "low"
48tags = [
49 "Use Case: Lateral Movement Detection",
50 "Rule Type: ML",
51 "Rule Type: Machine Learning",
52 "Tactic: Lateral Movement",
53 "Resources: Investigation Guide",
54]
55type = "machine_learning"
56note = """## Triage and analysis
57
58> **Disclaimer**:
59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
60
61### Investigating Unusual Remote File Directory
62
63The 'Unusual Remote File Directory' detection leverages machine learning to identify atypical file transfers in directories not commonly monitored, which may indicate lateral movement by adversaries. Attackers exploit these less scrutinized paths to evade detection, often using remote services to transfer malicious payloads. This rule flags such anomalies, aiding in early detection of potential breaches.
64
65### Possible investigation steps
66
67- Review the alert details to identify the specific unusual directory involved in the file transfer and note any associated file names or types.
68- Check the source and destination IP addresses involved in the transfer to determine if they are known or trusted entities within the network.
69- Investigate the user account associated with the file transfer to verify if the activity aligns with their typical behavior or role within the organization.
70- Examine recent logs or events from the host to identify any other suspicious activities or anomalies that may correlate with the file transfer.
71- Cross-reference the detected activity with known threat intelligence sources to determine if the file transfer or directory is associated with any known malicious campaigns or tactics.
72- Assess the potential impact of the file transfer by evaluating the sensitivity of the data involved and the criticality of the systems affected.
73
74### False positive analysis
75
76- Routine administrative tasks may trigger alerts if they involve file transfers to directories not typically monitored. Users can create exceptions for known administrative activities to prevent unnecessary alerts.
77- Automated backup processes might be flagged if they store files in uncommon directories. Identifying and excluding these backup operations can reduce false positives.
78- Software updates or patches that deploy files to less common directories could be mistaken for suspicious activity. Users should whitelist these update processes to avoid false alerts.
79- Development or testing environments often involve file transfers to non-standard directories. Users can configure exceptions for these environments to minimize false positives.
80- Legitimate remote services used for file transfers, such as cloud storage synchronization, may be flagged. Users should identify and exclude these trusted services from monitoring.
81
82### Response and remediation
83
84- Isolate the affected host immediately to prevent further lateral movement and contain the potential threat. Disconnect it from the network to stop any ongoing malicious activity.
85- Conduct a thorough analysis of the unusual directory and any files transferred to identify malicious payloads. Use endpoint detection and response (EDR) tools to scan for known malware signatures and behaviors.
86- Remove any identified malicious files and artifacts from the affected directory and host. Ensure that all traces of the threat are eradicated to prevent re-infection.
87- Reset credentials and review access permissions for the affected host and any associated accounts to mitigate the risk of unauthorized access. Ensure that least privilege principles are enforced.
88- Monitor network traffic and logs for any signs of further lateral movement or exploitation attempts. Pay special attention to remote service connections and unusual directory access.
89- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional hosts or systems are compromised.
90- Update detection mechanisms and rules to enhance monitoring of less common directories and improve the detection of similar threats in the future."""
91[[rule.threat]]
92framework = "MITRE ATT&CK"
93[[rule.threat.technique]]
94id = "T1210"
95name = "Exploitation of Remote Services"
96reference = "https://attack.mitre.org/techniques/T1210/"
97
98
99[rule.threat.tactic]
100id = "TA0008"
101name = "Lateral Movement"
102reference = "https://attack.mitre.org/tactics/TA0008/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual Remote File Directory
The 'Unusual Remote File Directory' detection leverages machine learning to identify atypical file transfers in directories not commonly monitored, which may indicate lateral movement by adversaries. Attackers exploit these less scrutinized paths to evade detection, often using remote services to transfer malicious payloads. This rule flags such anomalies, aiding in early detection of potential breaches.
Possible investigation steps
- Review the alert details to identify the specific unusual directory involved in the file transfer and note any associated file names or types.
- Check the source and destination IP addresses involved in the transfer to determine if they are known or trusted entities within the network.
- Investigate the user account associated with the file transfer to verify if the activity aligns with their typical behavior or role within the organization.
- Examine recent logs or events from the host to identify any other suspicious activities or anomalies that may correlate with the file transfer.
- Cross-reference the detected activity with known threat intelligence sources to determine if the file transfer or directory is associated with any known malicious campaigns or tactics.
- Assess the potential impact of the file transfer by evaluating the sensitivity of the data involved and the criticality of the systems affected.
False positive analysis
- Routine administrative tasks may trigger alerts if they involve file transfers to directories not typically monitored. Users can create exceptions for known administrative activities to prevent unnecessary alerts.
- Automated backup processes might be flagged if they store files in uncommon directories. Identifying and excluding these backup operations can reduce false positives.
- Software updates or patches that deploy files to less common directories could be mistaken for suspicious activity. Users should whitelist these update processes to avoid false alerts.
- Development or testing environments often involve file transfers to non-standard directories. Users can configure exceptions for these environments to minimize false positives.
- Legitimate remote services used for file transfers, such as cloud storage synchronization, may be flagged. Users should identify and exclude these trusted services from monitoring.
Response and remediation
- Isolate the affected host immediately to prevent further lateral movement and contain the potential threat. Disconnect it from the network to stop any ongoing malicious activity.
- Conduct a thorough analysis of the unusual directory and any files transferred to identify malicious payloads. Use endpoint detection and response (EDR) tools to scan for known malware signatures and behaviors.
- Remove any identified malicious files and artifacts from the affected directory and host. Ensure that all traces of the threat are eradicated to prevent re-infection.
- Reset credentials and review access permissions for the affected host and any associated accounts to mitigate the risk of unauthorized access. Ensure that least privilege principles are enforced.
- Monitor network traffic and logs for any signs of further lateral movement or exploitation attempts. Pay special attention to remote service connections and unusual directory access.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional hosts or systems are compromised.
- Update detection mechanisms and rules to enhance monitoring of less common directories and improve the detection of similar threats in the future.
References
Related rules
- High Mean of Process Arguments in an RDP Session
- High Mean of RDP Session Duration
- High Variance in RDP Session Duration
- Spike in Number of Connections Made from a Source IP
- Spike in Number of Connections Made to a Destination IP