Unusual Windows Process Calling the Metadata Service

  1[metadata]
  2creation_date = "2020/09/22"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10anomaly_threshold = 50
 11author = ["Elastic"]
 12description = """
 13Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order
 14to harvest credentials or user data scripts containing secrets.
 15"""
 16false_positives = [
 17    """
 18    A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this
 19    detection rule.
 20    """,
 21]
 22from = "now-45m"
 23interval = "15m"
 24license = "Elastic License v2"
 25machine_learning_job_id = ["v3_windows_rare_metadata_process"]
 26name = "Unusual Windows Process Calling the Metadata Service"
 27setup = """## Setup
 28
 29This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
 30- Elastic Defend
 31- Windows
 32
 33### Anomaly Detection Setup
 34
 35Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
 36
 37### Elastic Defend Integration Setup
 38Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 39
 40#### Prerequisite Requirements:
 41- Fleet is required for Elastic Defend.
 42- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 43
 44#### The following steps should be executed in order to add the Elastic Defend integration to your system:
 45- Go to the Kibana home page and click "Add integrations".
 46- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 47- Click "Add Elastic Defend".
 48- Configure the integration name and optionally add a description.
 49- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 50- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 51- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 52- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 53For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 54- Click "Save and Continue".
 55- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 56For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 57
 58### Windows Integration Setup
 59The Windows integration allows you to monitor the Windows OS, services, applications, and more.
 60
 61#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
 62- Go to the Kibana home page and click “Add integrations”.
 63- In the query bar, search for “Windows” and select the integration to see more details about it.
 64- Click “Add Windows”.
 65- Configure the integration name and optionally add a description.
 66- Review optional and advanced settings accordingly.
 67- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
 68- Click “Save and Continue”.
 69- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
 70"""
 71risk_score = 21
 72rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b"
 73severity = "low"
 74tags = [
 75    "Domain: Endpoint",
 76    "OS: Windows",
 77    "Use Case: Threat Detection",
 78    "Rule Type: ML",
 79    "Rule Type: Machine Learning",
 80    "Tactic: Credential Access",
 81    "Resources: Investigation Guide",
 82]
 83type = "machine_learning"
 84note = """## Triage and analysis
 85
 86> **Disclaimer**:
 87> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 88
 89### Investigating Unusual Windows Process Calling the Metadata Service
 90
 91In cloud environments, the metadata service provides essential instance information, including credentials and configuration data. Adversaries may exploit this by using atypical Windows processes to access the service, aiming to extract sensitive information. The detection rule leverages machine learning to identify anomalies in process behavior, flagging potential credential access attempts by unusual processes.
 92
 93### Possible investigation steps
 94
 95- Review the process name and command line arguments associated with the alert to identify any unusual or suspicious activity.
 96- Check the parent process of the flagged process to understand the context of how it was initiated and assess if it aligns with expected behavior.
 97- Investigate the user account under which the process was executed to determine if it has legitimate access to the metadata service or if it has been compromised.
 98- Analyze network logs to identify any outbound connections to the metadata service from the flagged process, noting any unusual patterns or destinations.
 99- Cross-reference the process and user activity with recent changes or deployments in the environment to rule out false positives related to legitimate administrative actions.
100- Consult threat intelligence sources to see if the process or command line arguments have been associated with known malicious activity or campaigns.
101
102### False positive analysis
103
104- Routine system updates or maintenance scripts may trigger the rule. Review the process details and verify if they align with scheduled maintenance activities. If confirmed, consider adding these processes to an exception list.
105- Legitimate software or security tools that access the metadata service for configuration purposes might be flagged. Identify these tools and create exceptions for their known processes to prevent future alerts.
106- Automated backup or monitoring solutions that interact with the metadata service could be misidentified as threats. Validate these processes and exclude them if they are part of authorized operations.
107- Custom scripts developed in-house for cloud management tasks may access the metadata service. Ensure these scripts are documented and, if safe, add them to the list of exceptions to reduce false positives.
108
109### Response and remediation
110
111- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
112- Terminate the unusual process accessing the metadata service to stop any ongoing credential harvesting attempts.
113- Conduct a thorough review of the system's event logs and process history to identify any additional indicators of compromise or related malicious activity.
114- Change all credentials that may have been exposed or accessed through the metadata service to mitigate the risk of unauthorized access.
115- Implement network segmentation to limit access to the metadata service, ensuring only authorized processes and users can interact with it.
116- Escalate the incident to the security operations center (SOC) for further analysis and to determine if the threat is part of a larger attack campaign.
117- Update and enhance endpoint detection and response (EDR) solutions to improve monitoring and alerting for similar anomalous process behaviors in the future."""
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1552"
122name = "Unsecured Credentials"
123reference = "https://attack.mitre.org/techniques/T1552/"
124[[rule.threat.technique.subtechnique]]
125id = "T1552.005"
126name = "Cloud Instance Metadata API"
127reference = "https://attack.mitre.org/techniques/T1552/005/"
128
129
130
131[rule.threat.tactic]
132id = "TA0006"
133name = "Credential Access"
134reference = "https://attack.mitre.org/tactics/TA0006/"