Unusual Process Detected for Privileged Commands by a User

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad", "endpoint", "sysmon_linux"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has detected an unusual process run for privileged commands by a user, indicating potential privileged access activity.
 14"""
 15from = "now-1h"
 16interval = "15m"
 17license = "Elastic License v2"
 18machine_learning_job_id = "pad_linux_rare_process_executed_by_user"
 19name = "Unusual Process Detected for Privileged Commands by a User"
 20references = [
 21    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 22    "https://docs.elastic.co/en/integrations/pad"
 23]
 24risk_score = 21
 25rule_id = "5eac16ab-6d4f-427b-9715-f33e1b745fc7"
 26setup = """## Setup
 27
 28The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux.
 29
 30### Privileged Access Detection Setup
 31The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 32
 33#### Prerequisite Requirements:
 34- Fleet is required for Privileged Access Detection.
 35- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 36- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration.
 37- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 38- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 39
 40#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 41- Go to the Kibana homepage. Under Management, click Integrations.
 42- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 43- Follow the instructions under the **Installation** section.
 44- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 45"""
 46severity = "low"
 47tags = [
 48    "Use Case: Privileged Access Detection",
 49    "Rule Type: ML",
 50    "Rule Type: Machine Learning",
 51    "Tactic: Privilege Escalation",
 52    "Resources: Investigation Guide"
 53]
 54type = "machine_learning"
 55note = """## Triage and analysis
 56
 57> **Disclaimer**:
 58> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 59
 60### Investigating Unusual Process Detected for Privileged Commands by a User
 61
 62Machine learning models are employed to identify anomalies in process execution, particularly those involving privileged commands. Adversaries may exploit legitimate user accounts to execute unauthorized privileged actions, aiming for privilege escalation. This detection rule leverages ML to flag atypical processes, indicating potential misuse of elevated access, thus aiding in early threat identification.
 63
 64### Possible investigation steps
 65
 66- Review the specific user account associated with the alert to determine if the account has a history of executing privileged commands or if this is an anomaly.
 67- Examine the process details, including the command line arguments and the parent process, to identify if the process is legitimate or potentially malicious.
 68- Check the timestamp of the process execution to correlate with any other suspicious activities or alerts that occurred around the same time.
 69- Investigate the source IP address or host from which the command was executed to verify if it is a known and trusted location for the user.
 70- Look into recent authentication logs for the user account to identify any unusual login patterns or access from unfamiliar devices.
 71- Assess the user's role and permissions to determine if the execution of such privileged commands aligns with their job responsibilities.
 72
 73### False positive analysis
 74
 75- Routine administrative tasks by IT staff may trigger alerts. Review and whitelist known administrative processes that are regularly executed by trusted personnel.
 76- Automated scripts or scheduled tasks that perform privileged operations can be flagged. Identify and exclude these scripts if they are verified as part of normal operations.
 77- Software updates or installations that require elevated privileges might be detected. Ensure that these processes are documented and excluded if they are part of standard maintenance procedures.
 78- Development or testing environments where privileged commands are frequently used for legitimate purposes can cause false positives. Consider creating exceptions for these environments after thorough validation.
 79- Temporary elevated access granted for specific projects or tasks can lead to alerts. Monitor and document these instances, and adjust the detection rule to accommodate such temporary changes.
 80
 81### Response and remediation
 82
 83- Immediately isolate the affected user account to prevent further unauthorized privileged actions. This can be done by disabling the account or changing its password.
 84- Review and terminate any suspicious processes or sessions initiated by the user account to contain potential malicious activity.
 85- Conduct a thorough audit of recent privileged commands executed by the user to identify any unauthorized changes or actions that need to be reversed.
 86- Escalate the incident to the security operations team for further investigation and to determine if additional systems or accounts have been compromised.
 87- Implement additional monitoring on the affected system and user account to detect any further anomalous behavior or attempts at privilege escalation.
 88- Review and update access controls and permissions for the affected user account to ensure they align with the principle of least privilege.
 89- Document the incident, including actions taken and lessons learned, to improve response strategies and prevent recurrence."""
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1078"
 94name = "Valid Accounts"
 95reference = "https://attack.mitre.org/techniques/T1078/"
 96
 97[rule.threat.tactic]
 98id = "TA0004"
 99name = "Privilege Escalation"
100reference = "https://attack.mitre.org/tactics/TA0004/"```