Malicious Remote File Creation

edit

Malicious remote file creation, which can be an indicator of lateral movement activity.

Rule type: eql

Rule indices:

  • logs-endpoint.events.*

Severity: critical

Risk score: 99

Runs every: 5m

Searches indices from: now-10m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Endpoint
  • Use Case: Lateral Movement Detection
  • Tactic: Lateral Movement
  • Data Source: Elastic Defend

Version: 1

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
sequence by host.name
[file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]
[file where event.category == "malware" or event.category == "intrusion_detection"
and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")]

Framework: MITRE ATT&CKTM