IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Appendix Z: Downloadable rule update v8.9.7 Remote File Creation on a Sensitive Directory »

› ›

Malicious Remote File Creation

edit

Malicious Remote File Creation

edit

Malicious remote file creation, which can be an indicator of lateral movement activity.

Rule type: eql

Rule indices:

logs-endpoint.events.*

Severity: critical

Risk score: 99

Runs every: 5m

Searches indices from: now-10m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security

Tags:

Domain: Endpoint
Use Case: Lateral Movement Detection
Tactic: Lateral Movement
Data Source: Elastic Defend

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

sequence by host.name
[file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
[file where event.category == "malware" or event.category == "intrusion_detection"
and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/

« Appendix Z: Downloadable rule update v8.9.7 Remote File Creation on a Sensitive Directory »