Unusual Host Name for Windows Privileged Operations Detected

  1[metadata]
  2creation_date = "2025/02/18"
  3integration = ["pad", "endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/02/18"
  6min_stack_version = "8.18.0"
  7min_stack_comments = "New PAD integration only available starting at 8.18.0."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity.
 14This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges.
 15"""
 16from = "now-1h"
 17interval = "15m"
 18license = "Elastic License v2"
 19machine_learning_job_id = "pad_windows_rare_device_by_user"
 20name = "Unusual Host Name for Windows Privileged Operations Detected"
 21references = [
 22    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 23    "https://docs.elastic.co/en/integrations/pad"
 24]
 25risk_score = 21
 26rule_id = "2bca4fcd-5228-4472-9071-148903a31057"
 27setup = """## Setup
 28
 29The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows.
 30
 31### Privileged Access Detection Setup
 32The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature.
 33
 34#### Prerequisite Requirements:
 35- Fleet is required for Privileged Access Detection.
 36- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 37- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration.
 38- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 39- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide.
 40
 41#### The following steps should be executed to install assets associated with the Privileged Access Detection integration:
 42- Go to the Kibana homepage. Under Management, click Integrations.
 43- In the query bar, search for Privileged Access Detection and select the integration to see more details about it.
 44- Follow the instructions under the **Installation** section.
 45- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 46"""
 47severity = "low"
 48tags = [
 49    "Use Case: Privileged Access Detection",
 50    "Rule Type: ML",
 51    "Rule Type: Machine Learning",
 52    "Tactic: Privilege Escalation",
 53    "Resources: Investigation Guide"
 54]
 55type = "machine_learning"
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Unusual Host Name for Windows Privileged Operations Detected
 62
 63Machine learning models analyze patterns of privileged operations in Windows environments to identify anomalies, such as access from uncommon devices. Adversaries may exploit stolen credentials or unauthorized devices to escalate privileges. This detection rule flags such anomalies, indicating potential threats like compromised accounts or insider attacks, by assessing deviations from typical host usage patterns.
 64
 65### Possible investigation steps
 66
 67- Review the alert details to identify the specific user and host involved in the unusual privileged operation.
 68- Check the historical login patterns for the user to determine if the host has been used previously or if this is a new occurrence.
 69- Investigate the host's identity and location to assess if it aligns with the user's typical access patterns or if it appears suspicious.
 70- Examine recent activity logs for the user and host to identify any other unusual or unauthorized actions that may indicate a broader compromise.
 71- Verify if there are any known vulnerabilities or security incidents associated with the host that could have facilitated unauthorized access.
 72- Contact the user to confirm whether they recognize the host and the privileged operations performed, ensuring to rule out legitimate use.
 73
 74### False positive analysis
 75
 76- Users accessing systems from new or temporary devices, such as during travel or remote work, may trigger false positives. Regularly update the list of approved devices for users who frequently change their access points.
 77- IT administrators performing maintenance or updates from different machines can be mistaken for suspicious activity. Implement a process to log and approve such activities in advance to prevent unnecessary alerts.
 78- Employees using virtual machines or remote desktop services might appear as accessing from uncommon devices. Ensure these environments are recognized and whitelisted if they are part of regular operations.
 79- Changes in network infrastructure, such as new IP addresses or subnets, can lead to false positives. Keep the machine learning model updated with the latest network configurations to minimize these alerts.
 80- Temporary use of shared devices in collaborative workspaces can trigger alerts. Establish a protocol for logging shared device usage to differentiate between legitimate and suspicious activities.
 81
 82### Response and remediation
 83
 84- Immediately isolate the affected device from the network to prevent further unauthorized access or lateral movement.
 85- Revoke or reset the credentials of the compromised account to prevent further misuse and unauthorized access.
 86- Conduct a thorough review of recent privileged operations performed by the affected account to identify any unauthorized changes or actions.
 87- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
 88- Implement additional monitoring on the affected account and device to detect any further suspicious activities.
 89- Review and update access controls and permissions to ensure that only authorized devices and users can perform privileged operations.
 90- Consider implementing multi-factor authentication (MFA) for privileged accounts to enhance security and prevent unauthorized access."""
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1078"
 95name = "Valid Accounts"
 96reference = "https://attack.mitre.org/techniques/T1078/"
 97
 98[rule.threat.tactic]
 99id = "TA0004"
100name = "Privilege Escalation"
101reference = "https://attack.mitre.org/tactics/TA0004/"