Unusual Process Writing Data to an External Device via Machine Learning

This detection identifies unusual processes writing data to external devices, a tactic often used by malicious actors to exfiltrate data while masking their activities with seemingly benign processes. The detection leverages machine learning to identify deviations from typical behavior patterns, specifically focusing on processes that have no legitimate reason to write data to external devices. The rule relies on the “ded_rare_process_writing_to_external_device_ea” machine learning job from the Elastic Data Exfiltration Detection integration, version 9.4.0 or later. The rule analyzes file events collected by integrations such as Elastic Defend and Network Packet Capture. This detection is important because it can uncover exfiltration attempts that might otherwise go unnoticed due to the use of legitimate-looking processes.

Attack Chain

1. An attacker gains initial access to a system through various means (e.g., compromised credentials, software vulnerability).
2. The attacker establishes persistence on the system, potentially using scheduled tasks or autorun keys.
3. The attacker identifies sensitive data on the system or network.
4. The attacker copies the sensitive data to a staging directory.
5. The attacker uses a renamed or masqueraded legitimate process (e.g., svchost.exe, powershell.exe) to write the staged data to an external device connected to the system.
6. The system’s file events are monitored by Elastic Defend, capturing the process writing data to the external device.
7. The Elastic Data Exfiltration Detection integration analyzes the file events and identifies the process as rare or unusual for writing to external devices.
8. The “Unusual Process Writing Data to an External Device” rule is triggered, alerting security analysts to the potential exfiltration attempt.

Impact

A successful attack could result in the exfiltration of sensitive data, leading to financial loss, reputational damage, and legal repercussions. While the severity is “low,” a successful exfiltration can have significant consequences. The number of victims and the specific sectors targeted depend on the attacker’s objectives and the compromised system’s access to sensitive information.

Recommendation

• Install and configure the Data Exfiltration Detection integration in Elastic, ensuring the machine learning job ded_rare_process_writing_to_external_device_ea is enabled, as described in the setup documentation.
• Enable file event collection using Elastic Defend to provide the necessary data for the machine learning job, as detailed in the Elastic Defend documentation.
• Deploy the provided Sigma rule to your SIEM and tune the anomaly_threshold based on your environment’s baseline behavior to reduce false positives.
• Investigate any alerts generated by this rule, following the triage and analysis guidance to determine the legitimacy of the activity.