Unusual Windows Process Calling the Metadata Service

  1[metadata]
  2creation_date = "2020/09/22"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8anomaly_threshold = 50
  9author = ["Elastic"]
 10description = """
 11Looks for anomalous access to the metadata service by an unusual process. The metadata service may be targeted in order
 12to harvest credentials or user data scripts containing secrets.
 13"""
 14false_positives = [
 15    """
 16    A newly installed program or one that runs very rarely as part of a monthly or quarterly workflow could trigger this
 17    detection rule.
 18    """,
 19]
 20from = "now-45m"
 21interval = "15m"
 22license = "Elastic License v2"
 23machine_learning_job_id = ["v3_windows_rare_metadata_process"]
 24name = "Unusual Windows Process Calling the Metadata Service"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Unusual Windows Process Calling the Metadata Service
 31
 32In cloud environments, the metadata service provides essential instance information, including credentials and configuration data. Adversaries may exploit this by using atypical Windows processes to access the service, aiming to extract sensitive information. The detection rule leverages machine learning to identify anomalies in process behavior, flagging potential credential access attempts by unusual processes.
 33
 34### Possible investigation steps
 35
 36- Review the process name and command line arguments associated with the alert to identify any unusual or suspicious activity.
 37- Check the parent process of the flagged process to understand the context of how it was initiated and assess if it aligns with expected behavior.
 38- Investigate the user account under which the process was executed to determine if it has legitimate access to the metadata service or if it has been compromised.
 39- Analyze network logs to identify any outbound connections to the metadata service from the flagged process, noting any unusual patterns or destinations.
 40- Cross-reference the process and user activity with recent changes or deployments in the environment to rule out false positives related to legitimate administrative actions.
 41- Consult threat intelligence sources to see if the process or command line arguments have been associated with known malicious activity or campaigns.
 42
 43### False positive analysis
 44
 45- Routine system updates or maintenance scripts may trigger the rule. Review the process details and verify if they align with scheduled maintenance activities. If confirmed, consider adding these processes to an exception list.
 46- Legitimate software or security tools that access the metadata service for configuration purposes might be flagged. Identify these tools and create exceptions for their known processes to prevent future alerts.
 47- Automated backup or monitoring solutions that interact with the metadata service could be misidentified as threats. Validate these processes and exclude them if they are part of authorized operations.
 48- Custom scripts developed in-house for cloud management tasks may access the metadata service. Ensure these scripts are documented and, if safe, add them to the list of exceptions to reduce false positives.
 49
 50### Response and remediation
 51
 52- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 53- Terminate the unusual process accessing the metadata service to stop any ongoing credential harvesting attempts.
 54- Conduct a thorough review of the system's event logs and process history to identify any additional indicators of compromise or related malicious activity.
 55- Change all credentials that may have been exposed or accessed through the metadata service to mitigate the risk of unauthorized access.
 56- Implement network segmentation to limit access to the metadata service, ensuring only authorized processes and users can interact with it.
 57- Escalate the incident to the security operations center (SOC) for further analysis and to determine if the threat is part of a larger attack campaign.
 58- Update and enhance endpoint detection and response (EDR) solutions to improve monitoring and alerting for similar anomalous process behaviors in the future."""
 59risk_score = 21
 60rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b"
 61setup = """## Setup
 62
 63This rule requires the installation of associated Machine Learning jobs, as well as data coming in from one of the following integrations:
 64- Elastic Defend
 65- Windows
 66
 67### Anomaly Detection Setup
 68
 69Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
 70
 71### Elastic Defend Integration Setup
 72Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 73
 74#### Prerequisite Requirements:
 75- Fleet is required for Elastic Defend.
 76- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 77
 78#### The following steps should be executed in order to add the Elastic Defend integration to your system:
 79- Go to the Kibana home page and click "Add integrations".
 80- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 81- Click "Add Elastic Defend".
 82- Configure the integration name and optionally add a description.
 83- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
 84- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 85- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 86- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 87For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 88- Click "Save and Continue".
 89- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 90For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 91
 92### Windows Integration Setup
 93The Windows integration allows you to monitor the Windows OS, services, applications, and more.
 94
 95#### The following steps should be executed in order to add the Elastic Agent System integration "windows" to your system:
 96- Go to the Kibana home page and click “Add integrations”.
 97- In the query bar, search for “Windows” and select the integration to see more details about it.
 98- Click “Add Windows”.
 99- Configure the integration name and optionally add a description.
100- Review optional and advanced settings accordingly.
101- Add the newly installed “windows” to an existing or a new agent policy, and deploy the agent on your system from which windows log files are desirable.
102- Click “Save and Continue”.
103- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/windows).
104"""
105severity = "low"
106tags = [
107    "Domain: Endpoint",
108    "OS: Windows",
109    "Use Case: Threat Detection",
110    "Rule Type: ML",
111    "Rule Type: Machine Learning",
112    "Tactic: Credential Access",
113    "Resources: Investigation Guide",
114]
115type = "machine_learning"
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1552"
120name = "Unsecured Credentials"
121reference = "https://attack.mitre.org/techniques/T1552/"
122[[rule.threat.technique.subtechnique]]
123id = "T1552.005"
124name = "Cloud Instance Metadata API"
125reference = "https://attack.mitre.org/techniques/T1552/005/"
126
127
128
129[rule.threat.tactic]
130id = "TA0006"
131name = "Credential Access"
132reference = "https://attack.mitre.org/tactics/TA0006/"