Spike in Remote File Transfers

  1[metadata]
  2creation_date = "2023/10/12"
  3integration = ["lmd", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 70
  9author = ["Elastic"]
 10description = """
 11A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral
 12movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate
 13valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network,
 14to evade detection.
 15"""
 16from = "now-90m"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "lmd_high_count_remote_file_transfer"
 20name = "Spike in Remote File Transfers"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/lmd",
 24    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
 25    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
 26]
 27risk_score = 21
 28rule_id = "e9b0902b-c515-413b-b80b-a8dcebc81a66"
 29setup = """## Setup
 30
 31The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
 32
 33### Lateral Movement Detection Setup
 34The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
 35
 36#### Prerequisite Requirements:
 37- Fleet is required for Lateral Movement Detection.
 38- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 39- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
 40- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 41
 42#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
 43- Go to the Kibana homepage. Under Management, click Integrations.
 44- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
 45- Follow the instructions under the **Installation** section.
 46- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 47"""
 48severity = "low"
 49tags = [
 50    "Use Case: Lateral Movement Detection",
 51    "Rule Type: ML",
 52    "Rule Type: Machine Learning",
 53    "Tactic: Lateral Movement",
 54    "Resources: Investigation Guide",
 55]
 56type = "machine_learning"
 57note = """## Triage and analysis
 58
 59> **Disclaimer**:
 60> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 61
 62### Investigating Spike in Remote File Transfers
 63
 64Remote file transfer technologies facilitate data sharing across networks, essential for collaboration and operations. However, adversaries exploit these to move laterally within a network, often transferring data stealthily to avoid detection. The 'Spike in Remote File Transfers' detection rule leverages machine learning to identify unusual transfer volumes, signaling potential malicious activity by comparing against established network baselines.
 65
 66### Possible investigation steps
 67
 68- Review the alert details to identify the specific host and time frame associated with the abnormal file transfer activity.
 69- Analyze network logs and remote file transfer logs to determine the source and destination of the transfers, focusing on any unusual or unauthorized endpoints.
 70- Cross-reference the identified host with known assets and user accounts to verify if the activity aligns with expected behavior or if it involves unauthorized access.
 71- Investigate any associated user accounts for signs of compromise, such as unusual login times or locations, by reviewing authentication logs.
 72- Check for any recent changes or anomalies in the network baseline that could explain the spike in file transfers, such as new software deployments or legitimate large data migrations.
 73- Correlate the detected activity with other security alerts or incidents to identify potential patterns or coordinated attacks within the network.
 74
 75### False positive analysis
 76
 77- Regularly scheduled data backups or synchronization tasks can trigger false positives. Identify these tasks and create exceptions to prevent them from being flagged.
 78- Automated software updates or patch management systems may cause spikes in file transfers. Exclude these systems from the rule to reduce false alerts.
 79- Internal data sharing between departments for legitimate business purposes might be misidentified. Establish a baseline for these activities and adjust the detection thresholds accordingly.
 80- High-volume data transfers during specific business operations, such as end-of-month reporting, can be mistaken for malicious activity. Temporarily adjust the rule settings during these periods to accommodate expected increases in transfer volumes.
 81- Frequent file transfers from trusted external partners or vendors should be monitored and, if consistently benign, added to an allowlist to minimize unnecessary alerts.
 82
 83### Response and remediation
 84
 85- Isolate the affected host immediately to prevent further lateral movement and potential data exfiltration. Disconnect it from the network to contain the threat.
 86- Conduct a thorough analysis of the transferred files to determine if sensitive data was involved and assess the potential impact of the data exposure.
 87- Review and terminate any unauthorized remote access sessions or services on the affected host to prevent further exploitation.
 88- Reset credentials for any accounts that were used or potentially compromised during the incident to prevent unauthorized access.
 89- Apply security patches and updates to the affected systems to address any vulnerabilities that may have been exploited by the attackers.
 90- Monitor network traffic for any additional unusual remote file transfer activities, using enhanced logging and alerting to detect similar threats in the future.
 91- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation efforts are undertaken."""
 92[[rule.threat]]
 93framework = "MITRE ATT&CK"
 94[[rule.threat.technique]]
 95id = "T1210"
 96name = "Exploitation of Remote Services"
 97reference = "https://attack.mitre.org/techniques/T1210/"
 98
 99
100[rule.threat.tactic]
101id = "TA0008"
102name = "Lateral Movement"
103reference = "https://attack.mitre.org/tactics/TA0008/"