{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/machine-learning/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data exfiltration","machine learning","external device"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Data Exfiltration Detection integration, part of the Elastic Security suite, includes a machine learning job designed to detect anomalies in data transfer patterns to external devices. This job, named \u0026ldquo;ded_high_bytes_written_to_external_device,\u0026rdquo; identifies unusual increases in the amount of data written to external devices, which could indicate data exfiltration attempts. The system establishes a baseline of normal activity and flags deviations from that baseline, operating on a 15-minute interval and examining data from the preceding two hours. While this rule is intended to detect malicious data exfiltration, legitimate activities like backups, software updates, archiving, and media creation can trigger false positives. The rule is enabled via the Data Exfiltration Detection integration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system via compromised credentials or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates sensitive data on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker stages the data for exfiltration, possibly compressing or archiving it.\u003c/li\u003e\n\u003cli\u003eThe attacker connects an external device (e.g., USB drive) to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a large data transfer to the external device.\u003c/li\u003e\n\u003cli\u003eThe Data Exfiltration Detection machine learning job detects a significant increase in bytes written to the external device, triggering an alert.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the external device containing the exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the external device to access the stolen data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful data exfiltration event can result in the loss of sensitive information, potentially leading to financial losses, reputational damage, legal repercussions, and competitive disadvantage. Although the specific number of victims and targeted sectors are not specified, the potential impact is broad, affecting any organization that stores sensitive data on systems accessible to malicious actors. The severity depends on the nature and volume of the exfiltrated data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and tune the Data Exfiltration Detection integration\u0026rsquo;s configuration, specifically the \u0026ldquo;ded_high_bytes_written_to_external_device\u0026rdquo; machine learning job, to reduce false positives related to legitimate data transfer activities.\u003c/li\u003e\n\u003cli\u003eImplement and enforce data transfer policies to restrict the unauthorized use of external devices and ensure compliance with organizational security standards.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices, as recommended in the rule\u0026rsquo;s response and remediation guidance.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Spike in Bytes Sent to an External Device\u0026rdquo; rule (rule_id: \u0026ldquo;35a3b253-eea8-46f0-abd3-68bdd47e6e3d\u0026rdquo;) to determine the legitimacy of the data transfer and take appropriate action.\u003c/li\u003e\n\u003cli\u003eConsult the investigation guide provided in the rule\u0026rsquo;s notes section to aid in the triage and analysis of potential data exfiltration incidents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T12:00:00Z","date_published":"2026-04-02T12:00:00Z","id":"/briefs/2026-04-high-bytes-written-to-external-device/","summary":"A machine learning job has detected a spike in bytes written to an external device, which is anomalous and can signal illicit data copying or transfer activities, potentially leading to data exfiltration.","title":"Unusual Spike in Bytes Written to External Device Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2026-04-high-bytes-written-to-external-device/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data-exfiltration","machine-learning","network-traffic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert is triggered by a machine learning job, \u003ccode\u003eded_high_sent_bytes_destination_region_name_ea\u003c/code\u003e, that detects data exfiltration to unusual geographical regions based on network traffic patterns. The Data Exfiltration Detection integration, including Elastic Defend and Network Packet Capture, is required for this detection to function. This integration analyzes network and file events to identify abnormalities in data transfer volumes to different geographical locations, specifically by region name. Anomalous traffic patterns, particularly those involving high volumes of data being sent to regions outside the organization\u0026rsquo;s typical network activity, could indicate malicious actors attempting to exfiltrate sensitive data via command and control channels. This detection provides defenders with an early warning of potential data breaches. Version requirements: Elastic Stack version 9.4.0 or later is required to leverage the Entity Analytics (EA) fields.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a system within the network through various means, such as exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker establishes a command and control (C2) channel to communicate with the compromised system.\u003c/li\u003e\n\u003cli\u003eData Collection: The attacker identifies and collects sensitive data from various sources within the network.\u003c/li\u003e\n\u003cli\u003eStaging: The collected data is staged in a temporary location, compressed, and potentially encrypted for exfiltration.\u003c/li\u003e\n\u003cli\u003eExfiltration: The attacker uses the C2 channel to transfer the staged data to an external location in an unusual geographic region.\u003c/li\u003e\n\u003cli\u003eEvasion: The attacker may attempt to obfuscate the data transfer by using techniques such as tunneling or encryption to avoid detection.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker may attempt to remove traces of their activity, such as deleting logs or files, to hinder investigation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful data exfiltration attack can result in the loss of sensitive information, including intellectual property, customer data, and financial records. The risk score for this rule is 21, which indicates a moderate level of risk. Detection of this activity allows security teams to quickly respond and mitigate the potential damage. Early detection helps prevent large-scale data breaches and minimizes the impact on the organization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Data Exfiltration Detection integration assets are installed and properly configured, including Elastic Defend and Network Packet Capture (see Setup instructions in content).\u003c/li\u003e\n\u003cli\u003eReview the geo-location details flagged by the alert to determine if the region is indeed unusual for the organization\u0026rsquo;s typical network traffic patterns (see Triage and Analysis in content).\u003c/li\u003e\n\u003cli\u003eAnalyze the network traffic logs associated with the alert to identify the volume and type of data being transferred to the unusual region (see Triage and Analysis in content).\u003c/li\u003e\n\u003cli\u003eImplement geo-blocking measures to restrict data transfers to the identified unusual region, ensuring that only approved regions can communicate with the network (see Response and Remediation in content).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect processes initiating network connections to unusual regions based on the \u003ccode\u003eDestinationGeoRegion\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-02T10:00:00Z","date_published":"2024-05-02T10:00:00Z","id":"/briefs/2024-05-data-exfiltration-unusual-region/","summary":"A machine learning job has detected potential data exfiltration activity to an unusual geographical region, specifically by region name, indicating exfiltration over command and control channels.","title":"Potential Data Exfiltration to Unusual Geographic Region via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-05-data-exfiltration-unusual-region/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","data-exfiltration","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection leverages machine learning to identify unusual remote file sizes, a tactic often used during lateral movement. After gaining initial access, adversaries frequently aim to locate and exfiltrate valuable data. To avoid raising alarms with numerous small transfers, they may consolidate data into a single large file. This rule, built upon the Elastic Lateral Movement Detection integration, specifically uses the \u003ccode\u003elmd_high_file_size_remote_file_transfer_ea\u003c/code\u003e machine learning job. The integration requires the \u003ccode\u003ehost.ip\u003c/code\u003e field to be populated and Elastic Defend to be properly configured. This detection is critical for organizations seeking to identify and prevent data exfiltration attempts early in the attack lifecycle. The integration assets must be installed and file and Windows RDP process events collected by Elastic Defend.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains access to a host within the network, potentially through compromised credentials or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker performs reconnaissance to identify valuable data stores, network shares, and potential exfiltration targets.\u003c/li\u003e\n\u003cli\u003eCollection: The attacker gathers sensitive data from various sources within the compromised network. This data could include documents, databases, or other confidential information.\u003c/li\u003e\n\u003cli\u003eData Consolidation: To avoid detection, the attacker bundles the collected data into a single, large file. This could involve archiving, compression, or other methods of aggregation.\u003c/li\u003e\n\u003cli\u003eLateral Tool Transfer: The attacker uses remote services or tools to transfer the large file to a remote host within the network (T1570).\u003c/li\u003e\n\u003cli\u003eExfiltration Preparation: The attacker stages the large file on the remote host, preparing it for exfiltration outside the network.\u003c/li\u003e\n\u003cli\u003eExfiltration: The attacker initiates the transfer of the large file from the compromised network to an external destination, potentially using protocols like RDP.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker attempts to remove traces of the activity, such as deleting temporary files or logs, to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the exfiltration of sensitive data, potentially resulting in financial loss, reputational damage, and legal liabilities. The detection of unusual remote file sizes can help organizations identify and prevent data exfiltration attempts before they cause significant harm. Depending on the sensitivity of the exfiltrated data, the impact could range from minor inconvenience to a major security breach affecting thousands of individuals or customers.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated as required by the rule. For Elastic Defend versions 8.18 and above, verify that host IP collection is enabled following the provided \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets, including the \u003ccode\u003elmd_high_file_size_remote_file_transfer_ea\u003c/code\u003e machine learning job. Follow the setup instructions detailed in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003edocumentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the anomaly threshold (\u003ccode\u003eanomaly_threshold = 70\u003c/code\u003e) of the machine learning job based on your environment\u0026rsquo;s baseline to reduce false positives.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit lateral movement, as suggested in the \u0026ldquo;Response and remediation\u0026rdquo; section of the rule documentation.\u003c/li\u003e\n\u003cli\u003eEnhance monitoring and logging for unusual file transfer activities and remote access attempts as stated in the rule documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-30T10:00:00Z","date_published":"2024-04-30T10:00:00Z","id":"/briefs/2024-04-30-unusual-remote-file-size/","summary":"A machine learning job has detected an unusually high file size shared by a remote host, indicating potential lateral movement as attackers bundle data into a single large file transfer to evade detection when exfiltrating valuable information.","title":"Unusual Remote File Size Indicating Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-04-30-unusual-remote-file-size/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","rdp","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief addresses the detection of unusually long Remote Desktop Protocol (RDP) sessions, identified by a pre-built Elastic machine learning job named \u003ccode\u003elmd_high_mean_rdp_session_duration_ea\u003c/code\u003e. Attackers can abuse RDP for lateral movement and maintaining persistence within a network. Extended RDP sessions can also be used to evade detection mechanisms. This detection leverages machine learning to identify deviations from normal RDP session durations, potentially indicating malicious activity. The detection rule has been available since October 2023, and the corresponding ML job is part of the Lateral Movement Detection integration, requiring Elastic Stack version 9.4.0 or later. The rule depends on the \u003ccode\u003ehost.ip\u003c/code\u003e field to be populated, which may require enabling host IP collection in Elastic Defend versions 8.18 and above.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network, possibly through phishing or exploiting a public-facing application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages valid credentials or exploits a vulnerability to establish an RDP connection to a target system.\u003c/li\u003e\n\u003cli\u003eThe RDP session is maintained for an extended period, significantly longer than typical RDP sessions within the environment.\u003c/li\u003e\n\u003cli\u003eDuring the prolonged RDP session, the attacker performs reconnaissance, gathering information about the network and target systems.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the network, using the established RDP session as a persistent access point.\u003c/li\u003e\n\u003cli\u003eThe attacker executes malicious commands or transfers files, potentially installing malware or exfiltrating sensitive data.\u003c/li\u003e\n\u003cli\u003eThe unusually long RDP session duration helps the attacker to remain undetected and evade security measures.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and undetected lateral movement via prolonged RDP sessions can lead to significant data breaches, system compromise, and financial loss. The impact includes potential theft of sensitive information, disruption of business operations, and reputational damage. If an adversary establishes a persistent foothold via RDP, they can maintain long-term access to the compromised environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure \u003ccode\u003ehost.ip\u003c/code\u003e field is populated by enabling host IP collection if using Elastic Defend versions 8.18 and above, as described in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall and configure the Lateral Movement Detection integration in Kibana as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eTune the machine learning job \u003ccode\u003elmd_high_mean_rdp_session_duration_ea\u003c/code\u003e by adjusting the \u003ccode\u003eanomaly_threshold\u003c/code\u003e based on your environment and RDP usage patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate triggered alerts from the \u0026ldquo;High Mean of RDP Session Duration\u0026rdquo; rule following the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003etriage and analysis guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Windows RDP process events collected by the \u003ca href=\"https://docs.elastic.co/en/integrations/endpoint\"\u003eElastic Defend\u003c/a\u003e integration for suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T18:10:00Z","date_published":"2024-01-24T18:10:00Z","id":"/briefs/2024-01-high-mean-rdp-session/","summary":"A machine learning job detected an unusually high mean of RDP session duration, indicative of potential lateral movement or persistent access attempts by adversaries abusing RDP.","title":"Unusually High Mean of RDP Session Duration Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-high-mean-rdp-session/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","lolbins","windows","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert originates from an Elastic machine learning job named \u003ccode\u003eproblem_child_rare_process_by_parent_ea\u003c/code\u003e designed to detect Living off the Land (LotL) attacks on Windows systems. The model identifies processes spawned by parent processes that are statistically rare and have a high probability of being malicious based on the \u0026ldquo;ProblemChild\u0026rdquo; supervised learning model. This approach aims to uncover malicious activities that utilize legitimate system binaries (LOLbins) for nefarious purposes, effectively bypassing traditional signature-based detections. The alert relies on Windows process events collected by Elastic Defend or Winlogbeat with the LotL Attack Detection integration. This detection method becomes particularly important as attackers increasingly rely on existing tools to blend in with normal system activity and avoid raising suspicion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access via unspecified means (e.g., phishing, compromised credentials).\u003c/li\u003e\n\u003cli\u003eAttacker leverages a legitimate system binary (LOLbin) such as \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLbin is used to execute a malicious payload or script.\u003c/li\u003e\n\u003cli\u003eThe malicious process is spawned as a child process of the LOLbin.\u003c/li\u003e\n\u003cli\u003eElastic\u0026rsquo;s machine learning model identifies the child process as rare and potentially malicious based on its parent-child relationship and other features.\u003c/li\u003e\n\u003cli\u003eThe rare process executes malicious commands, possibly downloading further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack utilizing LOLbins can lead to significant compromise, including data theft, system disruption, and further propagation within the network. The reliance on trusted system binaries makes these attacks difficult to detect with traditional methods, potentially allowing attackers to operate undetected for extended periods. The impact is directly correlated to the privileges of the initial compromised account and the effectiveness of lateral movement techniques employed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, as described in the rule\u0026rsquo;s \u003ccode\u003esetup\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview the parent and child process names identified in the alert to determine if they are legitimate applications or associated with LOLbins, as detailed in the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eInvestigate the command-line arguments used by the suspicious process for potentially malicious commands or scripts as described in the rule \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e setting in the machine learning job configuration based on your environment\u0026rsquo;s baseline activity to reduce false positives, as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement exceptions for legitimate administrative tools and software updates to reduce false positives, as mentioned in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-unusual-process-spawn/","summary":"A machine learning job detected a suspicious Windows process, predicted malicious by the ProblemChild model and flagged as an unusual child process name for its parent, potentially indicating LOLbins usage and evading traditional detection.","title":"Unusual Process Spawned by a Parent Process via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-process-spawn/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential lateral movement within a network by flagging unusual remote file transfers to directories that are not commonly monitored. Attackers often leverage less scrutinized file paths to evade standard security measures and deploy malicious payloads. This detection relies on the \u0026ldquo;lmd_rare_file_path_remote_transfer_ea\u0026rdquo; machine learning job within Elastic Security, which analyzes file and Windows RDP process events to identify anomalous file transfers based on the destination directory. The detection is part of the Lateral Movement Detection integration and requires Elastic Defend and Fleet for full functionality. This is important for defenders because attackers will try to blend in with normal file transfer activity by using uncommon directories.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system within the network (e.g., via phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target host for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a remote service (e.g., RDP, SMB) to connect to the target host.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to transfer malicious files to the target host.\u003c/li\u003e\n\u003cli\u003eInstead of using common directories like \u0026ldquo;C:\\Windows\\Temp\u0026rdquo; or \u0026ldquo;C:\\ProgramData\u0026rdquo;, the attacker chooses a less monitored directory to evade detection.\u003c/li\u003e\n\u003cli\u003eThe remote service is leveraged to perform the file transfer to the atypical directory.\u003c/li\u003e\n\u003cli\u003eThe transferred file is then executed, potentially leading to command execution or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective (e.g., data exfiltration, ransomware deployment) on the target host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, compromise of critical systems, and potential disruption of business operations. Although this detection is rated as low severity, successful lateral movement can lead to significant damage. The number of affected hosts and the severity of the impact depends on the attacker\u0026rsquo;s objectives and the organization\u0026rsquo;s security posture. Lateral movement allows attackers to gain a deeper foothold within the network and increase the scope of their malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the \u003ccode\u003ehost.ip\u003c/code\u003e field is populated in Elastic Defend events by following the configuration steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003eElastic documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eTune the anomaly_threshold in the machine learning job configuration based on your environment\u0026rsquo;s baseline activity to minimize false positives, as mentioned in the rule\u0026rsquo;s configuration.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, paying close attention to the source and destination IP addresses, the user account involved, and the specific directory used for the file transfer as outlined in the \u003ca href=\"#triage-and-analysis\"\u003etriage and analysis section\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-22-unusual-remote-file-directory/","summary":"An Elastic machine learning job detects anomalous remote file transfers to unusual directories, indicating potential lateral movement by attackers attempting to bypass standard security monitoring.","title":"Unusual Remote File Directory Lateral Movement Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-22-unusual-remote-file-directory/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","windows","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Elastic ProblemChild integration leverages machine learning to identify suspicious Windows process clusters associated with specific users. This detection focuses on processes flagged as malicious by a supervised ML model, further refined by an unsupervised ML model that identifies unusually high aggregate scores within process clusters. This combination aims to detect activity that may evade traditional signature-based detections, such as the use of Living-off-the-Land Binaries (LOLbins) for masquerading. The models are trained to identify processes exhibiting characteristics indicative of malicious intent, making it possible to expose attackers using legitimate system tools for malicious purposes. The integration requires Windows process events collected by Elastic Defend or Winlogbeat and the Living off the Land (LotL) Attack Detection integration assets to be installed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute malicious commands using LOLbins (e.g., PowerShell, cmd.exe, mshta.exe).\u003c/li\u003e\n\u003cli\u003eThese processes are spawned with potentially obfuscated or unusual command-line arguments to evade basic detection.\u003c/li\u003e\n\u003cli\u003eThe ProblemChild supervised ML model analyzes process characteristics and assigns a malicious probability score.\u003c/li\u003e\n\u003cli\u003eAn unsupervised ML model aggregates the scores of related processes associated with the same user, identifying unusually high clusters.\u003c/li\u003e\n\u003cli\u003eThe rule triggers based on the combined supervised and unsupervised ML scores, indicating a high likelihood of malicious activity.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to use masquerading techniques to further disguise their actions by renaming files or using legitimate process names.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal could be data exfiltration, lateral movement, or establishing persistence on the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging LOLbins and masquerading techniques can lead to significant damage, including data breaches, system compromise, and disruption of services. The use of legitimate tools makes detection challenging, potentially allowing attackers to operate undetected for extended periods. While the number of victims and specific sectors are unknown, any organization running Windows systems is potentially vulnerable. The impact of a successful attack depends on the attacker\u0026rsquo;s objectives but can range from minor data theft to complete system takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration assets are installed and properly configured as described in the setup instructions of the rule.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;User Detected with Suspicious Windows Process(es)\u0026rdquo; ML job (machine_learning_job_id: \u003ccode\u003eproblem_child_high_sum_by_user_ea\u003c/code\u003e) and tune the anomaly threshold for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Windows process event collection via Elastic Defend or Winlogbeat (Rule Setup) to provide the necessary data for the ML models.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate administrative tools and software updates that may trigger false positives, as described in the False Positive Analysis section of the rule note.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and detection rules to identify similar patterns of behavior in the future, focusing on the specific tactics and techniques used in this incident (Rule Note).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-22T12:00:00Z","date_published":"2024-01-22T12:00:00Z","id":"/briefs/2024-01-problemchild-suspicious-windows-processes/","summary":"The ProblemChild machine learning model has detected a user with suspicious Windows processes exhibiting unusually high malicious probability scores, potentially indicating defense evasion via masquerading or LOLbins.","title":"ProblemChild ML Detection of Suspicious Windows Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-problemchild-suspicious-windows-processes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["dga","command-and-control","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief describes a detection of potential DGA (Domain Generation Algorithm) activity identified by an Elastic machine learning job. DGAs are often used by malware for command and control (C2) communication, generating domain names dynamically to evade detection. The machine learning job, \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e, analyzes DNS requests to identify source IP addresses that exhibit a high probability of DGA activity. This detection relies on the DGA Detection integration, which includes an ML-based framework to detect DGA activity in DNS events. The integration requires Fleet and DNS events collected by integrations such as Elastic Defend, Network Packet Capture, or Packetbeat. This activity matters for defenders because successful DGA-based C2 channels can allow malware to maintain communication and control even when individual malicious domains are blocked.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker compromises a host within the network, potentially through unpatched vulnerabilities or social engineering.\u003c/li\u003e\n\u003cli\u003eMalware is deployed on the compromised host. This malware contains a DGA.\u003c/li\u003e\n\u003cli\u003eThe malware uses the DGA to generate a list of potential domain names.\u003c/li\u003e\n\u003cli\u003eThe compromised host initiates DNS requests to resolve the generated domain names.\u003c/li\u003e\n\u003cli\u003eThe DNS requests are sent to internal or external DNS servers.\u003c/li\u003e\n\u003cli\u003eThe machine learning job \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e analyzes the DNS requests, specifically looking for source IPs with a high aggregate probability of generating DGA domains.\u003c/li\u003e\n\u003cli\u003eIf the anomaly score exceeds the threshold (70), an alert is triggered.\u003c/li\u003e\n\u003cli\u003eThe malware successfully establishes a C2 channel with a dynamically generated domain, enabling further malicious activities such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of DGA-based command and control can lead to persistent malware infections, data exfiltration, and further compromise of systems within the network. While the severity is rated low, the potential impact can escalate quickly if the C2 channel is used for more damaging activities. This detection focuses on identifying potential DGA activity, enabling security teams to investigate and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the DGA Detection integration is installed and properly configured, including the machine learning job \u003ccode\u003edga_high_sum_probability_ea\u003c/code\u003e (references: \u003ca href=\"https://docs.elastic.co/en/integrations/dga\"\u003eElastic DGA Detection documentation\u003c/a\u003e, \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003eprebuilt ML jobs\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eVerify that DNS events are being collected by Elastic Defend, Network Packet Capture, or Packetbeat and that the data view used by the machine learning job includes these events (references: \u003ca href=\"https://docs.elastic.co/en/integrations/endpoint\"\u003eElastic Defend\u003c/a\u003e, \u003ca href=\"https://docs.elastic.co/integrations/network_traffic\"\u003eNetwork Packet Capture\u003c/a\u003e, \u003ca href=\"https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-overview.html\"\u003ePacketbeat\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (currently 70) in the machine learning job based on your environment to reduce false positives and ensure timely detection of DGA activity.\u003c/li\u003e\n\u003cli\u003eReview and implement the triage and analysis steps outlined in the rule\u0026rsquo;s note section, focusing on identifying the source IP, analyzing DNS request patterns, and cross-referencing domains with threat intelligence feeds.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T15:00:00Z","date_published":"2024-01-09T15:00:00Z","id":"/briefs/2024-01-dga-activity/","summary":"A machine learning job detected potential DGA (domain generation algorithm) activity indicative of malware command and control (C2) channels, identifying source IP addresses making DNS requests with a high probability of being DGA-generated, a technique used by adversaries to evade detection.","title":"Potential DGA Activity Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-dga-activity/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access","okta","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert leverages machine learning to identify deviations in IP usage patterns associated with privileged Okta operations, flagging unusual access attempts that could signify privilege escalation or account compromise. It identifies a user performing privileged operations in Okta from an uncommon source IP, potentially indicating account compromise, misuse of administrative privileges, or an attacker leveraging a new network location. The detection rule analyzes Okta logs, specifically focusing on events related to privileged operations and source IP addresses, to establish baseline behavior and detect anomalies. This detection is important because Okta controls access to many downstream applications, and any compromise of Okta privileges can lead to widespread data breaches. The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. The minimum stack version is 9.4.0\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to a valid user account through phishing, credential stuffing, or other means (T1078, T1078.004).\u003c/li\u003e\n\u003cli\u003eThe adversary leverages the compromised account to authenticate to Okta, potentially bypassing or circumventing MFA.\u003c/li\u003e\n\u003cli\u003eThe adversary attempts to perform privileged operations within Okta, such as modifying user permissions, accessing sensitive applications, or changing security settings.\u003c/li\u003e\n\u003cli\u003eOkta logs record the privileged operation attempt, including the source IP address of the request.\u003c/li\u003e\n\u003cli\u003eThe machine learning job analyzes the source IP address and compares it to the user\u0026rsquo;s historical access patterns.\u003c/li\u003e\n\u003cli\u003eIf the source IP address is determined to be unusual or rare for the user, the machine learning job generates an anomaly.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Unusual Source IP for Okta Privileged Operations Detected\u0026rdquo; rule triggers based on the anomaly score exceeding a predefined threshold (anomaly_threshold = 75).\u003c/li\u003e\n\u003cli\u003eThe alert triggers, potentially leading to account takeover, data exfiltration, or further privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive applications and data managed by Okta. This can result in data breaches, financial loss, reputational damage, and legal liabilities. Since Okta is a widely used identity management service, a compromise can impact numerous downstream applications and services that rely on Okta for authentication and authorization. The number of affected users and systems can vary depending on the scope of the privileged access and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Privileged Access Detection integration assets, as well as Okta logs collected by integrations such as Okta, as described in the \u0026ldquo;Setup\u0026rdquo; section of the rule to enable the machine learning job.\u003c/li\u003e\n\u003cli\u003eReview the source IP address flagged by the alert to determine its geolocation and assess if it aligns with the user\u0026rsquo;s typical access patterns or known locations, as described in the rule\u0026rsquo;s \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e parameter in the machine learning job based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eCorrelate the flagged IP address with any known threat intelligence feeds to check for any history of malicious activity associated with it, as described in the rule\u0026rsquo;s \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T10:00:00Z","date_published":"2024-01-09T10:00:00Z","id":"/briefs/2024-01-okta-unusual-ip/","summary":"A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity indicative of account compromise or privilege escalation.","title":"Unusual Source IP for Okta Privileged Operations Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-unusual-ip/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","machine-learning","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert originates from a machine learning job designed to detect anomalous command-line activity on Linux systems. Specifically, it focuses on identifying instances where privileged commands are executed with unusually high entropy. High entropy in command lines often signifies obfuscation, which threat actors use to mask their activities and evade detection. This rule leverages the Privileged Access Detection (PAD) integration from Elastic to identify these anomalies. The PAD integration requires Linux logs collected by Elastic Defend or Sysmon Linux. The detection logic analyzes command lines associated with privileged commands, flagging those with a high degree of randomness or complexity. This can indicate unauthorized use of valid accounts (T1078) or attempts at privilege escalation, especially if combined with defense evasion techniques (T1027) such as obfuscating commands. The rule and associated ML job have been in production since Feb 2025 and require Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Linux system, potentially through a compromised account or vulnerability exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies privileged commands they need to execute to achieve their objectives, such as gaining root access or modifying sensitive files.\u003c/li\u003e\n\u003cli\u003eTo evade detection, the attacker obfuscates their commands using techniques like encoding, compression, or complex string manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the obfuscated privileged commands via the command line.\u003c/li\u003e\n\u003cli\u003eElastic Defend or Sysmon Linux captures the command-line activity and logs it to Elasticsearch.\u003c/li\u003e\n\u003cli\u003eThe Privileged Access Detection ML job analyzes the command lines and calculates their entropy.\u003c/li\u003e\n\u003cli\u003eIf the entropy exceeds a predefined threshold, the ML job flags the activity as anomalous and generates an alert.\u003c/li\u003e\n\u003cli\u003eSecurity analysts investigate the alert to determine the nature of the suspicious activity and take appropriate action.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation can grant an attacker complete control over a Linux system, allowing them to steal sensitive data, install malware, or disrupt critical services. While this rule itself triggers on unusual command line activity, the underlying behavior could lead to a full system compromise. The number of potential victims is directly related to the scope of the Linux environment being monitored. Sectors commonly targeted by privilege escalation attacks include technology, finance, and government.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Privileged Access Detection integration and ensure that Linux logs from Elastic Defend or Sysmon Linux are being ingested (Setup section).\u003c/li\u003e\n\u003cli\u003eReview and tune the machine learning job \u003ccode\u003epad_linux_high_median_process_command_line_entropy_by_user_ea\u003c/code\u003e to minimize false positives based on your environment (False positive analysis section in rule).\u003c/li\u003e\n\u003cli\u003eCreate a case management workflow triggered by the \u0026ldquo;High Command Line Entropy Detected for Privileged Commands\u0026rdquo; rule to ensure alerts are promptly investigated.\u003c/li\u003e\n\u003cli\u003eImplement the remediation steps outlined in the investigation guide to contain and eradicate any confirmed malicious activity (Response and remediation section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:30:00Z","date_published":"2024-01-03T15:30:00Z","id":"/briefs/2024-01-high-command-line-entropy/","summary":"A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user on Linux systems, suggesting possible privileged access activity through command lines, indicating potential obfuscation or unauthorized use of privileged access.","title":"High Command Line Entropy Detected for Privileged Commands on Linux","url":"https://feed.craftedsignal.io/briefs/2024-01-high-command-line-entropy/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning","elastic"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief focuses on a detection rule from Elastic\u0026rsquo;s Lateral Movement Detection (LMD) integration that utilizes machine learning to identify unusual remote file transfers. The rule, \u0026ldquo;Unusual Remote File Extension,\u0026rdquo; is designed to detect anomalies in file transfers, specifically those involving rare file extensions, which could be indicative of lateral movement within a network. This rule leverages the \u003ccode\u003elmd_rare_file_extension_remote_transfer_ea\u003c/code\u003e machine learning job ID. The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration. The rule operates by analyzing \u003ccode\u003ehost.ip\u003c/code\u003e and detecting anomalies in file transfers, where host IP collection needs to be enabled on Elastic Defend versions 8.18 and above.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to move laterally to other systems using remote services like RDP or SMB.\u003c/li\u003e\n\u003cli\u003eAs part of the lateral movement, the attacker transfers tools or files to the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a rare or uncommon file extension for the transferred files, potentially to evade detection based on known file types.\u003c/li\u003e\n\u003cli\u003eThe file transfer occurs over the network, triggering file event logs on the source and destination systems.\u003c/li\u003e\n\u003cli\u003eElastic Defend, with host IP collection enabled, monitors these file events and forwards the data to the Elastic Security platform.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Unusual Remote File Extension\u0026rdquo; machine learning job identifies the transfer of a file with a rare extension, comparing it against historical data.\u003c/li\u003e\n\u003cli\u003eIf the file extension is deemed anomalous based on its rarity, the rule triggers, indicating potential lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack can allow an adversary to gain access to sensitive data, critical systems, or privileged accounts. By using uncommon file extensions, attackers attempt to bypass security measures that rely on identifying known file types. This can lead to undetected malware deployment, data exfiltration, or further compromise of the network. Though this rule is of low severity, it can provide an early warning signal to stop an attack before greater damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the \u003ccode\u003ehost.ip\u003c/code\u003e field within Elastic Defend configurations (versions 8.18 and above) to ensure proper data collection for the machine learning job.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets within Kibana as per the provided setup instructions to activate the \u0026ldquo;Unusual Remote File Extension\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job to reduce false positives, considering your organization\u0026rsquo;s typical file transfer patterns.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Detect Remote File Extension Transfer\u0026rdquo; Sigma rule to identify file transfers with rare extensions using process creation logs.\u003c/li\u003e\n\u003cli\u003eReview the triage and analysis steps in the rule\u0026rsquo;s documentation to effectively investigate and respond to triggered alerts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-unusual-remote-file-extension/","summary":"An Elastic machine learning rule detects unusual remote file transfers with rare extensions, potentially indicating lateral movement activity on a host and suggesting adversaries bypassing security measures.","title":"Unusual Remote File Extension Detected via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-03-unusual-remote-file-extension/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data-exfiltration","machine-learning","endpoint"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis brief addresses a machine learning detection identifying anomalous data transfer volumes to external devices. The Elastic Data Exfiltration Detection integration includes a prebuilt machine learning job, \u003ccode\u003eded_high_bytes_written_to_external_device_ea\u003c/code\u003e, designed to detect spikes in data written to external devices. This behavior is considered anomalous because typical operational settings usually exhibit predictable patterns or ranges of data transfer to external storage. The detection is triggered when the amount of data written significantly deviates from the established baseline, potentially signaling unauthorized data copying or exfiltration attempts. This detection focuses on identifying abnormalities, providing an alert for investigation of possible illicit data transfer activities. The integration requires the Elastic Defend integration to collect file events.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system via compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker uses their access to locate and stage sensitive data for exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker connects an external storage device, such as a USB drive, to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a large data transfer operation, copying the staged data to the external device.\u003c/li\u003e\n\u003cli\u003eElastic Defend monitors file events and detects a significant increase in bytes written to the external device.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eded_high_bytes_written_to_external_device_ea\u003c/code\u003e machine learning job identifies the unusual data transfer volume.\u003c/li\u003e\n\u003cli\u003eAn alert is triggered based on the anomaly threshold defined in the Data Exfiltration Detection rule.\u003c/li\u003e\n\u003cli\u003eThe attacker removes the external device, completing the exfiltration of the sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exfiltration of data to external devices can lead to significant data breaches. The impact varies depending on the sensitivity and volume of the data stolen. This activity can result in financial losses, reputational damage, legal repercussions, and compromise of intellectual property. While the specific number of affected organizations is unknown, any organization that allows the use of external storage devices is potentially vulnerable. This issue poses a risk across various sectors, particularly those handling sensitive data, such as finance, healthcare, and technology.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall the Data Exfiltration Detection integration and configure the preconfigured anomaly detection jobs as described in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eReview and tune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e (currently set to 75) based on your environment\u0026rsquo;s baseline data transfer patterns to reduce false positives.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions to enhance visibility and control over data movements to external devices as mentioned in the \u0026ldquo;Response and remediation\u0026rdquo; section of the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eCreate exceptions for known backup operations, software updates, and data archiving processes that may trigger false positives, referencing the \u0026ldquo;False positive analysis\u0026rdquo; section of the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement additional monitoring on similar devices and network segments to detect any further anomalous data transfer activities, based on the rule\u0026rsquo;s description and \u0026ldquo;Response and remediation\u0026rdquo; section of the \u003ccode\u003enote\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-exfiltration-ml-high-bytes/","summary":"A machine learning job has detected high bytes of data written to an external device, potentially indicating illicit data copying or transfer activities leading to data exfiltration over a physical medium such as USB.","title":"Machine Learning Detects High Bytes Written to External Device","url":"https://feed.craftedsignal.io/briefs/2024-01-exfiltration-ml-high-bytes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["okta","privilege-escalation","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert focuses on detecting potential privilege escalation attempts within Okta environments. The Elastic Security prebuilt machine learning job \u003ccode\u003epad_okta_spike_in_group_privilege_changes_ea\u003c/code\u003e identifies unusual spikes in Okta group privilege change events. Attackers may add themselves or compromised accounts to high-privilege groups to gain unauthorized access and persist within the environment. This activity can lead to significant data breaches, system compromise, and long-term persistence. The rule leverages Elastic\u0026rsquo;s Anomaly Detection feature. This detection is particularly relevant for organizations heavily reliant on Okta for identity and access management, especially those with sensitive data or critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a low-privilege user account through phishing or credential stuffing.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into Okta using the compromised credentials, bypassing MFA if possible.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to add the compromised account to a high-privilege Okta group, such as \u0026ldquo;Administrators\u0026rdquo; or \u0026ldquo;Security Admins.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eOkta logs an event indicating a group privilege change for the compromised account.\u003c/li\u003e\n\u003cli\u003eThe machine learning job \u003ccode\u003epad_okta_spike_in_group_privilege_changes_ea\u003c/code\u003e detects a statistically significant spike in these group privilege change events.\u003c/li\u003e\n\u003cli\u003eThe attacker gains elevated privileges within Okta and connected applications.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly acquired privileges to access sensitive data or modify critical system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating new administrative accounts or modifying existing account permissions, ensuring continued access even if the initial compromised account is discovered.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful privilege escalation attack in Okta can have severe consequences. Attackers can gain complete control over the Okta environment, leading to unauthorized access to all connected applications and systems. This can result in data breaches, financial losses, and reputational damage. The number of affected users and systems depends on the scope of the attacker\u0026rsquo;s access and the sensitivity of the data stored within the connected applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Spike in Group Privilege Change Events\u0026rdquo; machine learning job in your Elastic Security environment and tune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e for your specific Okta usage patterns (references: \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003eElastic ML Jobs\u003c/a\u003e, \u003ca href=\"https://docs.elastic.co/en/integrations/pad\"\u003ePrivileged Access Detection Setup\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the machine learning job, focusing on identifying the accounts involved in the privilege changes, the source IP addresses, and the affected groups (reference: Investigation Guide section in the content).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all Okta users, especially those with administrative privileges, to prevent account compromise (reference: remediation steps in the content).\u003c/li\u003e\n\u003cli\u003eReview and update access control policies to ensure that only authorized personnel can modify group memberships, reducing the risk of future privilege escalation (reference: remediation steps in the content).\u003c/li\u003e\n\u003cli\u003eEnable Okta integration and collect Okta logs in Elastic Agent policy (reference: \u003ca href=\"https://docs.elastic.co/en/integrations/okta\"\u003eOkta integration\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;Okta Suspicious Group Membership Changes\u0026rdquo; to detect specific patterns of malicious group modifications, and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-okta-group-privilege-spike/","summary":"A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity where attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence.","title":"Okta Group Privilege Change Spike via ML Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-group-privilege-spike/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["endpoint","windows","defense evasion","machine learning","lolbins"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA machine learning (ML) rule has identified unusual process execution on a Windows endpoint. This detection leverages two ML models from the Elastic ProblemChild integration: a supervised model that predicts malicious processes and an unsupervised model that identifies processes anomalous to the user\u0026rsquo;s typical behavior. The rule focuses on detecting defense evasion tactics, specifically the potential use of Living-off-the-Land Binaries (LOLbins) or masquerading techniques, which can be difficult to detect with traditional signature-based methods. This detection uses data from the Elastic Endpoint or Winlogbeat and requires the Living off the Land (LotL) Attack Detection integration assets to be installed. This rule was last updated April 1, 2026 and requires Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through an existing user account.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a standard Windows process (e.g., cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker leverages LOLbins to perform malicious actions, blending in with legitimate system activity.\u003c/li\u003e\n\u003cli\u003eMasquerading: The attacker renames or moves malicious tools to mimic legitimate system files.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker attempts to escalate privileges using the compromised process.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker uses the compromised process to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eCommand and Control (Optional): The process establishes a connection to a command and control server for further instructions.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objective, such as data exfiltration, system compromise, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using these techniques can lead to a full system compromise, data theft, or the installation of persistent backdoors. The use of LOLbins makes detection difficult, potentially allowing attackers to operate undetected for extended periods. The impact is amplified by the potential for lateral movement to other systems within the network. While the severity is rated \u0026ldquo;low\u0026rdquo;, successful exploitation allows attackers to move laterally and establish persistence in the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as detailed in the rule setup (Elastic Defend or Winlogbeat).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Unusual Process Spawned by a User\u0026rdquo; rule (rule_id: 40155ee4-1e6a-4e4d-a63b-e8ba16980cfb) to determine the legitimacy of the flagged process.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (anomaly_threshold: 75) based on your environment to reduce false positives, as mentioned in the rule parameters.\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;False positive analysis\u0026rdquo; section in the rule\u0026rsquo;s note for guidance on identifying and excluding legitimate processes.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unusual command line arguments associated with LOLBins.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-rare-process-user/","summary":"A machine learning job detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be unusual within the user's context, potentially indicating defense evasion techniques like masquerading or the use of LOLbins.","title":"Unusual Process Spawned by a User Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-process-user/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","lolbin","windows","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection leverages the ProblemChild supervised machine learning model to identify unusual Windows processes that may be indicative of defense evasion tactics. The model flags processes that are both statistically unusual for a given host and predicted to be suspicious based on their characteristics. This approach aims to detect Living off the Land (LotL) attacks, where adversaries use legitimate system binaries (LOLbins) to evade traditional signature-based detection methods. The rule specifically targets processes observed on hosts that do not commonly exhibit malicious behavior. The alert requires the Elastic\u0026rsquo;s Living off the Land (LotL) Attack Detection integration assets to be installed, processing Windows process events collected by Elastic Defend or Winlogbeat. This detection rule was last updated on 2026-04-01 and requires Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a LOLbin (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e) to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe LOLbin spawns a child process to perform a specific task, such as downloading a file or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe spawned process exhibits characteristics flagged as suspicious by the ProblemChild ML model.\u003c/li\u003e\n\u003cli\u003eThe suspicious process attempts to evade detection by masquerading as a legitimate system process or by obfuscating its activity.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the process to establish persistence, escalate privileges, or move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to exfiltrate sensitive data, deploy ransomware, or disrupt business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful defense evasion attack can allow adversaries to operate undetected within a network, leading to data breaches, financial losses, and reputational damage. The use of LOLbins makes it difficult to distinguish malicious activity from legitimate system operations. This detection rule aims to reduce the dwell time of attackers by identifying suspicious processes early in the attack chain, even if they are using legitimate tools. False positives may occur due to routine administrative tasks, software updates, or custom scripts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as described in the \u0026ldquo;Setup\u0026rdquo; section of this brief.\u003c/li\u003e\n\u003cli\u003eVerify that Windows process events are being collected by Elastic Defend or Winlogbeat, as required by the detection rule.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect unusual process spawns and tune the \u003ccode\u003eImage|endswith\u003c/code\u003e and \u003ccode\u003eCommandLine|contains\u003c/code\u003e conditions for your specific environment.\u003c/li\u003e\n\u003cli\u003eReview the investigation guide provided in the rule description to triage and analyze potential false positives.\u003c/li\u003e\n\u003cli\u003eAdjust the \u003ccode\u003eanomaly_threshold\u003c/code\u003e (currently 75) in the Elastic detection rule based on your environment\u0026rsquo;s baseline to reduce noise.\u003c/li\u003e\n\u003cli\u003eMonitor for MITRE ATT\u0026amp;CK Technique T1218 (System Binary Proxy Execution) to identify potential LOLbin abuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-problemchild-rare-process/","summary":"The ProblemChild machine learning model detected a rare Windows process indicative of defense evasion, potentially involving LOLbins, on a host not commonly associated with malicious activity.","title":"ProblemChild ML Model Detects Unusual Process on Windows Host","url":"https://feed.craftedsignal.io/briefs/2024-01-03-problemchild-rare-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","machine-learning","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert leverages Elastic\u0026rsquo;s machine learning capabilities to identify anomalous network activity related to privileged operations in Windows. Specifically, it flags instances where a user performs privileged actions from a source IP address that is not typically associated with their account. The detection rule, \u003ccode\u003eUnusual Source IP for Windows Privileged Operations Detected\u003c/code\u003e, is triggered by the \u003ccode\u003epad_windows_rare_source_ip_by_user_ea\u003c/code\u003e machine learning job. The underlying machine learning model analyzes network patterns and user behavior to detect deviations from established baselines. Such deviations can indicate account compromise, insider threat activity, or attackers leveraging new network locations for privilege escalation within a Windows environment. This detection is enabled through the Privileged Access Detection integration assets within Elastic Security, supporting deployments of Elastic Defend and the Windows integration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access (TA0001):\u003c/strong\u003e An attacker gains initial access to a user account through credential compromise or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (TA0004):\u003c/strong\u003e The attacker attempts to escalate privileges using the compromised account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnusual Network Location:\u003c/strong\u003e The attacker leverages a VPN, proxy, or compromised host in a different network segment to conduct privileged operations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eWindows Privileged Operation:\u003c/strong\u003e The attacker performs a privileged action on a Windows system, such as modifying system files, creating new accounts, or accessing sensitive data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eML Anomaly Detection:\u003c/strong\u003e Elastic\u0026rsquo;s machine learning job \u003ccode\u003epad_windows_rare_source_ip_by_user_ea\u003c/code\u003e detects the unusual source IP for the privileged operation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAlert Triggered:\u003c/strong\u003e The \u0026ldquo;Unusual Source IP for Windows Privileged Operations Detected\u0026rdquo; rule triggers an alert in Elastic Security.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePotential Lateral Movement:\u003c/strong\u003e If successful, the attacker can use the elevated privileges to move laterally within the network and compromise other systems.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Impact:\u003c/strong\u003e The attacker achieves their final objective, such as data exfiltration, system disruption, or ransomware deployment, leveraging the escalated privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation and privilege escalation can allow an attacker to move laterally through the network, access sensitive data, and disrupt critical systems. While the alert itself is low severity, the underlying activity can lead to significant damage if not addressed promptly. The risk score associated with the rule is 21, indicating a moderate level of risk. Affected organizations may experience data breaches, financial loss, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview and tune the machine learning job \u003ccode\u003epad_windows_rare_source_ip_by_user_ea\u003c/code\u003e to reduce false positives and ensure accurate detection of anomalous activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the \u0026ldquo;Unusual Source IP for Windows Privileged Operations Detected\u0026rdquo; rule, focusing on identifying the root cause of the unusual source IP and the nature of the privileged operations performed.\u003c/li\u003e\n\u003cli\u003eImplement the setup steps outlined in the rule documentation to ensure proper collection and ingestion of Windows events required for the machine learning job to function correctly.\u003c/li\u003e\n\u003cli\u003eCorrelate the alerts with other security events or logs, such as firewall logs, VPN logs, or endpoint security alerts, to gather additional context about the source IP and user activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T15:00:00Z","date_published":"2024-01-02T15:00:00Z","id":"/briefs/2024-01-unusual-source-ip-privileged-ops/","summary":"A machine learning job detected a user performing privileged operations in Windows from an uncommon source IP, potentially indicating account compromise or privilege escalation.","title":"Unusual Source IP for Windows Privileged Operations Detected via ML","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-source-ip-privileged-ops/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["data-exfiltration","machine-learning","elastic-defend"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies unusual processes writing data to external devices, a tactic often used by malicious actors to exfiltrate data while masking their activities with seemingly benign processes. The detection leverages machine learning to identify deviations from typical behavior patterns, specifically focusing on processes that have no legitimate reason to write data to external devices. The rule relies on the \u0026ldquo;ded_rare_process_writing_to_external_device_ea\u0026rdquo; machine learning job from the Elastic Data Exfiltration Detection integration, version 9.4.0 or later. The rule analyzes file events collected by integrations such as Elastic Defend and Network Packet Capture. This detection is important because it can uncover exfiltration attempts that might otherwise go unnoticed due to the use of legitimate-looking processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., compromised credentials, software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the system, potentially using scheduled tasks or autorun keys.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies sensitive data on the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker copies the sensitive data to a staging directory.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a renamed or masqueraded legitimate process (e.g., \u003ccode\u003esvchost.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e) to write the staged data to an external device connected to the system.\u003c/li\u003e\n\u003cli\u003eThe system\u0026rsquo;s file events are monitored by Elastic Defend, capturing the process writing data to the external device.\u003c/li\u003e\n\u003cli\u003eThe Elastic Data Exfiltration Detection integration analyzes the file events and identifies the process as rare or unusual for writing to external devices.\u003c/li\u003e\n\u003cli\u003eThe \u0026ldquo;Unusual Process Writing Data to an External Device\u0026rdquo; rule is triggered, alerting security analysts to the potential exfiltration attempt.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could result in the exfiltration of sensitive data, leading to financial loss, reputational damage, and legal repercussions. While the severity is \u0026ldquo;low,\u0026rdquo; a successful exfiltration can have significant consequences. The number of victims and the specific sectors targeted depend on the attacker\u0026rsquo;s objectives and the compromised system\u0026rsquo;s access to sensitive information.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall and configure the Data Exfiltration Detection integration in Elastic, ensuring the machine learning job \u003ccode\u003eded_rare_process_writing_to_external_device_ea\u003c/code\u003e is enabled, as described in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnable file event collection using Elastic Defend to provide the necessary data for the machine learning job, as detailed in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/install-endpoint.html\"\u003eElastic Defend documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e based on your environment\u0026rsquo;s baseline behavior to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, following the \u003ca href=\"https://www.elastic.co/blog/detect-data-exfiltration-activity-with-kibanas-new-integration\"\u003etriage and analysis guidance\u003c/a\u003e to determine the legitimacy of the activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-rare-process-exfiltration/","summary":"A machine learning job detects a rare process writing data to an external device, potentially indicating data exfiltration masked by benign-looking processes.","title":"Unusual Process Writing Data to an External Device via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-process-exfiltration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["lateral-movement","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe \u0026ldquo;Spike in Remote File Transfers\u0026rdquo; detection identifies potential lateral movement activity within a network by monitoring for unusual volumes of remote file transfers. Attackers often aim to locate and exfiltrate valuable information after gaining initial access. To evade detection, they may attempt to mimic normal egress activity through numerous small transfers. This detection leverages machine learning to establish a baseline of normal transfer activity and identify deviations that may indicate malicious behavior. The rule requires the Lateral Movement Detection integration assets to be installed. For Elastic Defend events on versions 8.18 and above, \u003ccode\u003ehost.ip\u003c/code\u003e collection must be enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a host within the network through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eInternal Reconnaissance: The attacker performs internal reconnaissance to identify valuable data and potential target systems.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses stolen credentials or exploits remote services (T1210) to gain access to other systems on the network.\u003c/li\u003e\n\u003cli\u003eTool Transfer: The attacker transfers malicious tools or scripts (T1570) to the compromised systems to facilitate further actions.\u003c/li\u003e\n\u003cli\u003eData Collection: The attacker gathers sensitive data from the compromised systems.\u003c/li\u003e\n\u003cli\u003eEgress Activity: The attacker initiates numerous small remote file transfers, attempting to blend in with normal network traffic.\u003c/li\u003e\n\u003cli\u003eData Exfiltration: The attacker exfiltrates the stolen data to an external location.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful lateral movement attack involving anomalous file transfers can lead to data exfiltration, intellectual property theft, and reputational damage. Even though the severity is low, undetected lateral movement can escalate quickly into high severity incidents like ransomware or data breaches. This detection focuses on the early stages of lateral movement, allowing security teams to respond before significant damage occurs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure host IP collection is enabled in Elastic Defend configurations, following the steps in the \u003ca href=\"https://www.elastic.co/docs/solutions/security/configure-elastic-defend/configure-data-volume-for-elastic-endpoint#host-fields\"\u003ehelper guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInstall the Lateral Movement Detection integration assets as described in the setup instructions in the rule documentation.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Spike in Remote File Transfers\u0026rdquo; rule, paying close attention to the source and destination of the file transfers.\u003c/li\u003e\n\u003cli\u003eReview authentication logs for signs of compromised accounts, such as unusual login times or locations, as described in the rule\u0026rsquo;s triage notes.\u003c/li\u003e\n\u003cli\u003eTune the machine learning job\u0026rsquo;s anomaly threshold based on your environment\u0026rsquo;s baseline activity and false positive analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-spike-remote-file-transfers/","summary":"A machine learning job detects an abnormal volume of remote file transfers, potentially indicating lateral movement by attackers attempting to blend in with normal network egress activity.","title":"Spike in Remote File Transfers via Lateral Movement","url":"https://feed.craftedsignal.io/briefs/2024-01-spike-remote-file-transfers/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["privileged-access-detection","okta","machine-learning","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert identifies potentially malicious Okta activity based on unusual host names associated with privileged operations. The Elastic prebuilt machine learning job \u003ccode\u003epad_okta_rare_host_name_by_user_ea\u003c/code\u003e analyzes Okta logs to detect anomalies in device usage, specifically focusing on unusual host names. This activity could indicate a compromised user account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges within the Okta environment. This detection is part of the Privileged Access Detection (PAD) integration, designed to identify abnormalities across Windows, Linux, and Okta events, starting with Elastic Stack version 9.4.0. Defenders should investigate users exhibiting this behavior to determine the legitimacy of the access and the device being used.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to an Okta user\u0026rsquo;s credentials, possibly through phishing (not specified in source, but likely).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to Okta using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to perform privileged operations within Okta (e.g., modifying user permissions, accessing sensitive applications).\u003c/li\u003e\n\u003cli\u003eThe attacker uses a device with a host name that is uncommon for the compromised user, triggering the machine learning alert.\u003c/li\u003e\n\u003cli\u003eOkta logs the privileged operation and the associated host name.\u003c/li\u003e\n\u003cli\u003eElastic\u0026rsquo;s machine learning job, \u003ccode\u003epad_okta_rare_host_name_by_user_ea\u003c/code\u003e, detects the unusual host name based on historical data.\u003c/li\u003e\n\u003cli\u003eA security alert is generated, indicating potential privileged access from an unusual host.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the Okta environment, potentially gaining access to sensitive resources or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive applications and data managed by Okta. The potential impact includes data breaches, financial loss, and reputational damage. While the rule severity is low, successful privilege escalation can significantly increase the attacker\u0026rsquo;s access and control, impacting all applications and services integrated with Okta. The exact number of potential victims varies depending on the organization\u0026rsquo;s size and the scope of Okta\u0026rsquo;s usage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Privileged Access Detection integration assets are installed and configured properly as per the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003eofficial Elastic documentation\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts from the \u003ccode\u003epad_okta_rare_host_name_by_user_ea\u003c/code\u003e machine learning job by reviewing user login history, device usage patterns, and associated IP addresses as outlined in the rule\u0026rsquo;s \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all privileged accounts to add an additional layer of security as mentioned in the \u0026ldquo;Response and remediation\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eEnable Okta integration and configure the Fleet agent policy according to the \u003ca href=\"https://docs.elastic.co/en/integrations/okta\"\u003eElastic documentation\u003c/a\u003e to ensure proper data collection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-okta-unusual-hostname/","summary":"A machine learning job detected a user performing privileged operations in Okta from an uncommon device, potentially indicating a compromised account or insider threat attempting privilege escalation.","title":"Okta Privileged Operations from Unusual Host Name Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-okta-unusual-hostname/"}],"language":"en","title":"CraftedSignal Threat Feed — Machine Learning","version":"https://jsonfeed.org/version/1.1"}