IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Spike in Number of Processes in an RDP Session Unusual Time or Day for an RDP Session »

› ›

Spike in Remote File Transfers

edit

Spike in Remote File Transfers

edit

A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-90m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Lateral Movement Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Lateral Movement

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/

« Spike in Number of Processes in an RDP Session Unusual Time or Day for an RDP Session »