Malicious Remote File Creation

Warning

This rule has been deprecated as of 2023/12/14.

Malicious remote file creation, which can be an indicator of lateral movement activity.

Rule type: eql
Rule indices:

logs-endpoint.events.*

Rule Severity: critical
Risk Score: 99
Runs every: 5m
Searches indices from: now-10m
Maximum alerts per execution: 100
References:

https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security

Tags:

Domain: Endpoint
Use Case: Lateral Movement Detection
Tactic: Lateral Movement
Data Source: Elastic Defend

Version: 1
Rule authors:

Elastic

Rule license: Elastic License v2

Rule Query

		sequence by host.name
[file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
[file where event.category == "malware" or event.category == "intrusion_detection"
and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
		
	

Framework: MITRE ATT&CK

Tactic:
- Name: Lateral Movement
- Id: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Exploitation of Remote Services
- Id: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/