Unusual Process Writing Data to an External Device
editUnusual Process Writing Data to an External Device
editA machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration.
Rule type: machine_learning
Rule indices: None
Severity: low
Risk score: 21
Runs every: 15m
Searches indices from: now-2h (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Use Case: Data Exfiltration Detection
- Rule Type: ML
- Rule Type: Machine Learning
- Tactic: Exfiltration
Version: 4
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
The rule requires the Data Exfiltration Detection integration assets to be installed, as well as network and file events collected by integrations such as Elastic Defend and Network Packet Capture (for network events only).
Data Exfiltration Detection Setup
The Data Exfiltration Detection integration detects data exfiltration activity by identifying abnormalities in network and file events. Anomalies are detected using Elastic’s Anomaly Detection feature.
Prerequisite Requirements:
- Fleet is required for Data Exfiltration Detection.
- To configure Fleet Server refer to the documentation.
- File events collected by the Elastic Defend integration.
- To install Elastic Defend, refer to the documentation.
The following steps should be executed to install assets associated with the Data Exfiltration Detection integration:
- Go to the Kibana homepage. Under Management, click Integrations.
- In the query bar, search for Data Exfiltration Detection and select the integration to see more details about it.
- Follow the instructions under the Installation section.
- For this rule to work, complete the instructions through Add preconfigured anomaly detection jobs.
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
-
Technique:
- Name: Exfiltration Over Physical Medium
- ID: T1052
- Reference URL: https://attack.mitre.org/techniques/T1052/