High Command Line Entropy Detected for Privileged Commands

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad", "endpoint", "sysmon_linux"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user, suggesting possible privileged access activity through command lines.
 14High entropy often indicates that the commands may be obfuscated or deliberately complex, which can be a sign of suspicious or unauthorized use of privileged access.
 15"""
 16from = "now-3h"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "pad_linux_high_median_process_command_line_entropy_by_user"
 20name = "High Command Line Entropy Detected for Privileged Commands"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/pad"
 24]
 25risk_score = 21
 26rule_id = "0cbbb5e0-f93a-47fe-ab72-8213366c38f1"
 27setup = """## Setup
 28
 29The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux.
 30
 31### Privileged Access Detection Setup
 32The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Privileged Access Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration.
 38- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 39- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 40
 41#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Privileged Access Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Privilege Escalation",
 53    "Resources: Investigation Guide"
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating High Command Line Entropy Detected for Privileged Commands
 62
 63Machine learning models analyze command line inputs to identify high entropy, which may indicate obfuscation or complexity in privileged commands. Adversaries exploit this by using intricate or encoded commands to mask unauthorized activities. The detection rule leverages this analysis to flag potential privilege escalation attempts, aiding in early threat identification and response.
 64
 65### Possible investigation steps
 66
 67- Review the command line inputs flagged by the alert to identify any patterns or specific obfuscation techniques used.
 68- Cross-reference the user account associated with the alert against known valid accounts and recent access logs to determine if the activity aligns with expected behavior.
 69- Analyze the context of the commands executed, including the time of execution and the systems targeted, to assess the potential impact and scope of the activity.
 70- Check for any recent changes in user privileges or roles that might explain the execution of privileged commands.
 71- Investigate any related alerts or logs that might provide additional context or corroborate the suspicious activity, such as failed login attempts or unusual network connections.
 72- Consult with the user or relevant personnel to verify if the commands were part of legitimate administrative tasks or if they indicate unauthorized access.
 73
 74### False positive analysis
 75
 76- Legitimate administrative scripts may have high entropy due to complex or encoded commands. Review and whitelist these scripts to prevent unnecessary alerts.
 77- Automated deployment tools often use obfuscated commands for security reasons. Identify and exclude these tools from the rule to reduce false positives.
 78- Security software updates might execute encoded commands as part of their process. Monitor and create exceptions for these updates to avoid misclassification.
 79- Developers and IT staff may use complex command lines for testing or debugging. Establish a baseline of normal activity for these users and adjust the rule accordingly.
 80- Scheduled tasks or cron jobs with encoded commands can trigger alerts. Document and exclude these tasks if they are verified as non-threatening.
 81
 82### Response and remediation
 83
 84- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement.
 85- Review and terminate any suspicious or unauthorized processes running under privileged accounts on the affected system.
 86- Reset passwords for all privileged accounts involved, ensuring they meet strong password policies to prevent unauthorized access.
 87- Conduct a thorough audit of recent privileged command executions to identify any unauthorized changes or data access, and revert any malicious modifications.
 88- Implement additional monitoring on the affected system and related accounts to detect any further suspicious activities.
 89- Escalate the incident to the security operations center (SOC) for a comprehensive investigation and to determine if other systems are affected.
 90- Update and reinforce endpoint protection measures to detect and block similar obfuscation or high-entropy command line activities in the future."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1078"
 95name = "Valid Accounts"
 96reference = "https://attack.mitre.org/techniques/T1078/"
 97
 98[rule.threat.tactic]
 99id = "TA0004"
100name = "Privilege Escalation"
101reference = "https://attack.mitre.org/tactics/TA0004/"```