Spike in Remote File Transfers
A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/12"
3integration = ["lmd", "endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8anomaly_threshold = 70
9author = ["Elastic"]
10description = """
11A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral
12movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate
13valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network,
14to evade detection.
15"""
16from = "now-90m"
17interval = "15m"
18license = "Elastic License v2"
19machine_learning_job_id = "lmd_high_count_remote_file_transfer"
20name = "Spike in Remote File Transfers"
21references = [
22 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
23 "https://docs.elastic.co/en/integrations/lmd",
24 "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
25 "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
26]
27risk_score = 21
28rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66"
29setup = """## Setup
30
31The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
32
33### Lateral Movement Detection Setup
34The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
35
36#### Prerequisite Requirements:
37- Fleet is required for Lateral Movement Detection.
38- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
39- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
40- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
41
42#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
43- Go to the Kibana homepage. Under Management, click Integrations.
44- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
45- Follow the instructions under the **Installation** section.
46- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
47"""
48severity = "low"
49tags = [
50 "Use Case: Lateral Movement Detection",
51 "Rule Type: ML",
52 "Rule Type: Machine Learning",
53 "Tactic: Lateral Movement",
54]
55type = "machine_learning"
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1210"
60name = "Exploitation of Remote Services"
61reference = "https://attack.mitre.org/techniques/T1210/"
62
63
64[rule.threat.tactic]
65id = "TA0008"
66name = "Lateral Movement"
67reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- High Mean of Process Arguments in an RDP Session
- High Mean of RDP Session Duration
- High Variance in RDP Session Duration
- Spike in Number of Connections Made from a Source IP
- Spike in Number of Connections Made to a Destination IP