Unusual Windows User Calling the Metadata Service

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2023/07/27"
 6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 7min_stack_version = "8.3.0"
 8
 9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be
14targeted in order to harvest credentials or user data scripts containing secrets.
15"""
16false_positives = [
17    """
18    A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection
19    rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.
20    """,
21]
22from = "now-45m"
23interval = "15m"
24license = "Elastic License v2"
25machine_learning_job_id = ["v3_windows_rare_metadata_user"]
26name = "Unusual Windows User Calling the Metadata Service"
27risk_score = 21
28rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a"
29severity = "low"
30tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"]
31type = "machine_learning"
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35[[rule.threat.technique]]
36id = "T1552"
37name = "Unsecured Credentials"
38reference = "https://attack.mitre.org/techniques/T1552/"
39
40
41    [[rule.threat.technique.subtechnique]]
42    id = "T1552.005"
43    name = "Cloud Instance Metadata API"
44    reference = "https://attack.mitre.org/techniques/T1552/005/"
45
46
47[rule.threat.tactic]
48id = "TA0006"
49name = "Credential Access"
50reference = "https://attack.mitre.org/tactics/TA0006/"```