Unusual Linux Process Calling the Metadata Service

  1[metadata]
  2creation_date = "2020/09/22"
  3integration = ["auditd_manager", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8anomaly_threshold = 50
  9author = ["Elastic"]
 10description = """
 11Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order
 12to harvest credentials or user data scripts containing secrets.
 13"""
 14false_positives = [
 15    """
 16    A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this
 17    detection rule.
 18    """,
 19]
 20from = "now-45m"
 21interval = "15m"
 22license = "Elastic License v2"
 23machine_learning_job_id = ["v3_linux_rare_metadata_process"]
 24name = "Unusual Linux Process Calling the Metadata Service"
 25setup = """## Setup
 26
 27This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
 28- Elastic Defend
 29- Auditd Manager
 30
 31### Anomaly Detection Setup
 32
 33Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
 34
 35### Elastic Defend Integration Setup
 36Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 37
 38#### Prerequisite Requirements:
 39- Fleet is required for Elastic Defend.
 40- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 41
 42#### The following steps should be executed in order to add the Elastic Defend integration to your system:
 43- Go to the Kibana home page and click "Add integrations".
 44- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 45- Click "Add Elastic Defend".
 46- Configure the integration name and optionally add a description.
 47- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 48- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 49- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 50- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 51For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 52- Click "Save and Continue".
 53- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 54For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 55
 56### Auditd Manager Integration Setup
 57The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
 58Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
 59
 60#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" to your system:
 61- Go to the Kibana home page and click “Add integrations”.
 62- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
 63- Click “Add Auditd Manager”.
 64- Configure the integration name and optionally add a description.
 65- Review optional and advanced settings accordingly.
 66- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
 67- Click “Save and Continue”.
 68- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
 69
 70#### Rule Specific Setup Note
 71Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
 72However, if more advanced configuration is required to detect specific behavior, audit rules can be added to the integration in either the "audit rules" configuration box or the "auditd rule files" box by specifying a file to read the audit rules from.
 73- For this detection rule no additional audit rules are required.
 74"""
 75risk_score = 21
 76rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6"
 77severity = "low"
 78tags = [
 79    "Domain: Endpoint",
 80    "OS: Linux",
 81    "Use Case: Threat Detection",
 82    "Rule Type: ML",
 83    "Rule Type: Machine Learning",
 84    "Tactic: Credential Access",
 85    "Resources: Investigation Guide",
 86]
 87type = "machine_learning"
 88note = """## Triage and analysis
 89
 90> **Disclaimer**:
 91> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 92
 93### Investigating Unusual Linux Process Calling the Metadata Service
 94
 95In cloud environments, the metadata service provides essential instance-specific data, including credentials and configuration scripts. Adversaries may exploit this service by using atypical processes to access sensitive information, potentially leading to credential theft. The detection rule leverages machine learning to identify anomalous process behavior, flagging unusual access patterns indicative of malicious intent.
 96
 97### Possible investigation steps
 98
 99- Review the process name and command line arguments associated with the alert to identify any unusual or suspicious activity.
100- Check the user account under which the process is running to determine if it has legitimate access to the metadata service.
101- Investigate the process's parent process to understand the context of how it was initiated and whether it aligns with expected behavior.
102- Analyze network logs to verify if the process made any outbound connections to the metadata service and assess the volume and frequency of these requests.
103- Cross-reference the process and user information with recent changes or deployments in the environment to rule out any legitimate use cases.
104- Examine system logs for any other suspicious activities or anomalies around the time the alert was triggered, such as unauthorized access attempts or privilege escalations.
105
106### False positive analysis
107
108- Routine system updates or maintenance scripts may access the metadata service, triggering false positives. Users can create exceptions for known update processes to prevent unnecessary alerts.
109- Automated backup or monitoring tools might interact with the metadata service as part of their normal operations. Identify these tools and whitelist their processes to reduce false alarms.
110- Custom scripts developed in-house for configuration management might access the metadata service. Review these scripts and add them to an exception list if they are verified as non-threatening.
111- Cloud management agents provided by the cloud service provider may access the metadata service for legitimate purposes. Verify these agents and exclude them from the detection rule to avoid false positives.
112- Development or testing environments often have processes that mimic production behavior, including metadata service access. Ensure these environments are accounted for in the rule configuration to minimize false alerts.
113
114### Response and remediation
115
116- Isolate the affected instance immediately to prevent further unauthorized access to the metadata service and potential lateral movement within the network.
117- Terminate the unusual process accessing the metadata service to stop any ongoing data exfiltration or credential harvesting.
118- Conduct a thorough review of access logs and process execution history on the affected instance to identify any additional unauthorized activities or compromised credentials.
119- Rotate all credentials and secrets that may have been exposed through the metadata service to mitigate the risk of credential theft and unauthorized access.
120- Implement network segmentation and access controls to restrict access to the metadata service, ensuring only authorized processes and users can interact with it.
121- Escalate the incident to the security operations team for further investigation and to determine if additional instances or services have been compromised.
122- Update and enhance monitoring rules to detect similar anomalous behaviors in the future, focusing on unusual process activities and access patterns to the metadata service."""
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125[[rule.threat.technique]]
126id = "T1552"
127name = "Unsecured Credentials"
128reference = "https://attack.mitre.org/techniques/T1552/"
129[[rule.threat.technique.subtechnique]]
130id = "T1552.005"
131name = "Cloud Instance Metadata API"
132reference = "https://attack.mitre.org/techniques/T1552/005/"
133
134
135
136[rule.threat.tactic]
137id = "TA0006"
138name = "Credential Access"
139reference = "https://attack.mitre.org/tactics/TA0006/"