IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Remote File Creation on a Sensitive Directory
editRemote File Creation on a Sensitive Directory
editDiscovery of files created by a remote host on sensitive directories and folders. Remote file creation in these directories could indicate a malicious binary or script trying to compromise the system.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-10m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- Use Case: Lateral Movement Detection
- Tactic: Lateral Movement
- Data Source: Elastic Defend
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editfile where (event.action == "creation" or event.action == "modification") and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server") and not user.name:("SYSTEM", "root") and (file.path : ("C*\\Users\\*\\AppData\\Roaming*", "C*\\Program*Files\\*", "C*\\Windows\\*", "C*\\Windows\\System\\*", "C*\\Windows\\System32\\*", "/etc/*", "/tmp*", "/var/tmp*", "/home/*/.*", "/home/.*", "/usr/bin/*", "/sbin/*", "/bin/*", "/usr/lib/*", "/usr/sbin/*", "/usr/share/*", "/usr/local/*", "/var/lib/dpkg/*", "/lib/systemd/*" ) )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/