IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Remote File Creation on a Sensitive Directoryedit
Discovery of files created by a remote host on sensitive directories and folders. Remote file creation in these directories could indicate a malicious binary or script trying to compromise the system.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-10m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- Use Case: Lateral Movement Detection
- Tactic: Lateral Movement
- Data Source: Elastic Defend
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule queryedit
file where (event.action == "creation" or event.action == "modification") and
process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and not
user.name:("SYSTEM", "root") and
(file.path : ("C*\\Users\\*\\AppData\\Roaming*", "C*\\Program*Files\\*",
"C*\\Windows\\*", "C*\\Windows\\System\\*",
"C*\\Windows\\System32\\*", "/etc/*", "/tmp*",
"/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*",
"/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*",
"/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*",
"/lib/systemd/*"
)
)
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/