IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [8.11] Detections and alerts Prebuilt rule reference
« Unusual Process Writing Data to an External Device Unusual Remote File Extension »

Unusual Remote File Directoryedit

An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so attackers might use less common directories to bypass monitoring.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-90m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Use Case: Lateral Movement Detection
  • Rule Type: ML
  • Rule Type: Machine Learning
  • Tactic: Lateral Movement

Version: 4

Rule authors:

  • Elastic

Rule license: Elastic License v2

Setupedit

Setup

The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.

Lateral Movement Detection Setup

The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic’s Anomaly Detection feature.

Prerequisite Requirements:

  • Fleet is required for Lateral Movement Detection.
  • To configure Fleet Server refer to the documentation.
  • File events collected by the Elastic Defend integration.
  • To install Elastic Defend, refer to the documentation.

The following steps should be executed to install assets associated with the Lateral Movement Detection integration:

  • Go to the Kibana homepage. Under Management, click Integrations.
  • In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
  • Follow the instructions under the Installation section.
  • For this rule to work, complete the instructions through Add preconfigured anomaly detection jobs.

Framework: MITRE ATT&CKTM

« Unusual Process Writing Data to an External Device Unusual Remote File Extension »