Unusual Windows User Calling the Metadata Service

Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to harvest credentials or user data scripts containing secrets.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/22"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8anomaly_threshold = 75
 9author = ["Elastic"]
10description = """
11Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be
12targeted in order to harvest credentials or user data scripts containing secrets.
13"""
14false_positives = [
15    """
16    A newly installed program, or one that runs under a new or rarely used user context, could trigger this detection
17    rule. Manual interrogation of the metadata service during debugging or troubleshooting could trigger this rule.
18    """,
19]
20from = "now-45m"
21interval = "15m"
22license = "Elastic License v2"
23machine_learning_job_id = ["v3_windows_rare_metadata_user"]
24name = "Unusual Windows User Calling the Metadata Service"
25risk_score = 21
26rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a"
27severity = "low"
28tags = [
29    "Domain: Endpoint",
30    "OS: Windows",
31    "Use Case: Threat Detection",
32    "Rule Type: ML",
33    "Rule Type: Machine Learning",
34    "Tactic: Credential Access",
35]
36type = "machine_learning"
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1552"
41name = "Unsecured Credentials"
42reference = "https://attack.mitre.org/techniques/T1552/"
43[[rule.threat.technique.subtechnique]]
44id = "T1552.005"
45name = "Cloud Instance Metadata API"
46reference = "https://attack.mitre.org/techniques/T1552/005/"
47
48
49
50[rule.threat.tactic]
51id = "TA0006"
52name = "Credential Access"
53reference = "https://attack.mitre.org/tactics/TA0006/"

Related rules

to-top