nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_remote_file_size.toml

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2023/10/12"
+integration = ["lmd", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral
+movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate
+valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data
+into a single large file transfer.
+"""
+from = "now-90m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "lmd_high_file_size_remote_file_transfer"
+name = "Unusual Remote File Size"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/lmd",
+    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
+    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
+]
+risk_score = 21
+rule_id = "0678bc9c-b71a-433b-87e6-2f664b6b3131"
+setup = """## Setup
+
+The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
+
+### Lateral Movement Detection Setup
+The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Lateral Movement Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Lateral Movement Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Unusual Remote File Size
+Machine learning models in security environments analyze file transfer patterns to identify anomalies, such as unusually large files shared remotely. Adversaries exploit this by aggregating data into large files to avoid detection during lateral movement. The 'Unusual Remote File Size' rule leverages ML to flag these anomalies, aiding in early detection of potential data exfiltration activities.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific remote host and file size involved in the anomaly.
+- Check the historical file transfer patterns of the identified remote host to determine if this large file size is truly unusual.
+- Investigate the contents and purpose of the large file, if accessible, to assess whether it contains sensitive or valuable information.
+- Analyze network logs to trace the origin and destination of the file transfer, looking for any unauthorized or suspicious connections.
+- Correlate the event with other security alerts or logs to identify any concurrent suspicious activities that might indicate lateral movement or data exfiltration.
+- Verify the user account associated with the file transfer to ensure it has not been compromised or misused.
+
+### False positive analysis
+
+- Large file transfers related to legitimate business operations, such as backups or data migrations, can trigger false positives. Users should identify and whitelist these routine activities to prevent unnecessary alerts.
+- Software updates or patches distributed across the network may also appear as unusually large file transfers. Establishing a baseline for expected file sizes during these updates can help in distinguishing them from potential threats.
+- Remote file sharing services used for collaboration might generate alerts if large files are shared frequently. Monitoring and excluding these services from the rule can reduce false positives.
+- Automated data processing tasks that involve transferring large datasets between systems should be documented and excluded from the rule to avoid false alarms.
+- Regularly review and update the list of known safe hosts and services that are permitted to transfer large files, ensuring that only legitimate activities are excluded from detection.
+
+### Response and remediation
+
+- Isolate the affected host immediately to prevent further lateral movement and potential data exfiltration. Disconnect it from the network to contain the threat.
+- Conduct a thorough analysis of the large file transfer to determine its contents and origin. Verify if sensitive data was included and assess the potential impact.
+- Review and terminate any unauthorized remote sessions or connections identified during the investigation to prevent further exploitation.
+- Reset credentials and review access permissions for the affected host and any associated accounts to mitigate the risk of compromised credentials being used for further attacks.
+- Implement network segmentation to limit the ability of attackers to move laterally within the network, reducing the risk of similar incidents in the future.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to ensure comprehensive remediation actions are taken.
+- Enhance monitoring and logging for unusual file transfer activities and remote access attempts to improve early detection of similar threats in the future."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_high_variance_rdp_session_duration.toml

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2023/10/12"
+integration = ["lmd", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+A machine learning job has detected unusually high variance of RDP session duration. Long RDP sessions can be used to
+evade detection mechanisms via session persistence, and might be used to perform tasks such as lateral movement, that
+might require uninterrupted access to a compromised machine.
+"""
+from = "now-12h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "lmd_high_var_rdp_session_duration"
+name = "High Variance in RDP Session Duration"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/lmd",
+    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
+    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
+]
+risk_score = 21
+rule_id = "a8d35ca0-ad8d-48a9-9f6c-553622dca61a"
+setup = """## Setup
+
+The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
+
+### Lateral Movement Detection Setup
+The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Lateral Movement Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Lateral Movement Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating High Variance in RDP Session Duration
+
+Remote Desktop Protocol (RDP) enables remote access to systems, facilitating legitimate administrative tasks. However, adversaries exploit prolonged RDP sessions to maintain persistent access, often for lateral movement within networks. The detection rule leverages machine learning to identify anomalies in session duration, flagging potential misuse by highlighting sessions with unusually high variance, which may indicate malicious activity.
+
+### Possible investigation steps
+
+- Review the specific RDP session details, including the start and end times, to understand the duration and identify any patterns or anomalies in session length.
+- Correlate the flagged RDP session with user activity logs to determine if the session aligns with known user behavior or scheduled administrative tasks.
+- Investigate the source and destination IP addresses involved in the RDP session to identify any unusual or unauthorized access points.
+- Check for any concurrent alerts or logs indicating lateral movement or other suspicious activities originating from the same source or targeting the same destination.
+- Analyze the user account associated with the RDP session for any signs of compromise, such as recent password changes, failed login attempts, or unusual access times.
+- Review the network traffic during the RDP session for any signs of data exfiltration or communication with known malicious IP addresses.
+
+### False positive analysis
+
+- Long RDP sessions for legitimate administrative tasks can trigger false positives. To manage this, identify and whitelist IP addresses or user accounts associated with routine administrative activities.
+- Scheduled maintenance or updates often require extended RDP sessions. Exclude these sessions by setting time-based exceptions during known maintenance windows.
+- Automated scripts or tools that require prolonged RDP access for monitoring or data collection can be mistaken for anomalies. Document and exclude these processes by recognizing their unique session patterns.
+- Remote support sessions from trusted third-party vendors may appear as high variance. Establish a list of trusted vendor IPs or accounts to prevent these from being flagged.
+- Training or demonstration sessions that involve extended RDP use should be accounted for by creating exceptions for specific user groups or departments involved in such activities.
+
+### Response and remediation
+
+- Immediately isolate the affected system from the network to prevent further lateral movement and potential data exfiltration.
+- Terminate the suspicious RDP session to disrupt any ongoing unauthorized activities.
+- Conduct a thorough review of the affected system for signs of compromise, including checking for unauthorized user accounts, installed software, and changes to system configurations.
+- Reset credentials for any accounts that were accessed during the suspicious RDP session to prevent further unauthorized access.
+- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited.
+- Monitor network traffic and system logs for any signs of continued or related suspicious activity, focusing on RDP connections and lateral movement patterns.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_directory.toml

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2023/10/12"
+integration = ["lmd", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+An anomaly detection job has detected a remote file transfer on an unusual directory indicating a potential lateral
+movement activity on the host. Many Security solutions monitor well-known directories for suspicious activities, so
+attackers might use less common directories to bypass monitoring.
+"""
+from = "now-90m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "lmd_rare_file_path_remote_transfer"
+name = "Unusual Remote File Directory"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/lmd",
+    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
+    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
+]
+risk_score = 21
+rule_id = "be4c5aed-90f5-4221-8bd5-7ab3a4334751"
+setup = """## Setup
+
+The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
+
+### Lateral Movement Detection Setup
+The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Lateral Movement Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Lateral Movement Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Unusual Remote File Directory
+
+The 'Unusual Remote File Directory' detection leverages machine learning to identify atypical file transfers in directories not commonly monitored, which may indicate lateral movement by adversaries. Attackers exploit these less scrutinized paths to evade detection, often using remote services to transfer malicious payloads. This rule flags such anomalies, aiding in early detection of potential breaches.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific unusual directory involved in the file transfer and note any associated file names or types.
+- Check the source and destination IP addresses involved in the transfer to determine if they are known or trusted entities within the network.
+- Investigate the user account associated with the file transfer to verify if the activity aligns with their typical behavior or role within the organization.
+- Examine recent logs or events from the host to identify any other suspicious activities or anomalies that may correlate with the file transfer.
+- Cross-reference the detected activity with known threat intelligence sources to determine if the file transfer or directory is associated with any known malicious campaigns or tactics.
+- Assess the potential impact of the file transfer by evaluating the sensitivity of the data involved and the criticality of the systems affected.
+
+### False positive analysis
+
+- Routine administrative tasks may trigger alerts if they involve file transfers to directories not typically monitored. Users can create exceptions for known administrative activities to prevent unnecessary alerts.
+- Automated backup processes might be flagged if they store files in uncommon directories. Identifying and excluding these backup operations can reduce false positives.
+- Software updates or patches that deploy files to less common directories could be mistaken for suspicious activity. Users should whitelist these update processes to avoid false alerts.
+- Development or testing environments often involve file transfers to non-standard directories. Users can configure exceptions for these environments to minimize false positives.
+- Legitimate remote services used for file transfers, such as cloud storage synchronization, may be flagged. Users should identify and exclude these trusted services from monitoring.
+
+### Response and remediation
+
+- Isolate the affected host immediately to prevent further lateral movement and contain the potential threat. Disconnect it from the network to stop any ongoing malicious activity.
+- Conduct a thorough analysis of the unusual directory and any files transferred to identify malicious payloads. Use endpoint detection and response (EDR) tools to scan for known malware signatures and behaviors.
+- Remove any identified malicious files and artifacts from the affected directory and host. Ensure that all traces of the threat are eradicated to prevent re-infection.
+- Reset credentials and review access permissions for the affected host and any associated accounts to mitigate the risk of unauthorized access. Ensure that least privilege principles are enforced.
+- Monitor network traffic and logs for any signs of further lateral movement or exploitation attempts. Pay special attention to remote service connections and unusual directory access.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional hosts or systems are compromised.
+- Update detection mechanisms and rules to enhance monitoring of less common directories and improve the detection of similar threats in the future."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_rare_remote_file_extension.toml

@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2023/10/12"
+integration = ["lmd", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+An anomaly detection job has detected a remote file transfer with a rare extension, which could indicate potential
+lateral movement activity on the host.
+"""
+from = "now-90m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "lmd_rare_file_extension_remote_transfer"
+name = "Unusual Remote File Extension"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/lmd",
+    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
+    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
+]
+risk_score = 21
+rule_id = "814d96c7-2068-42aa-ba8e-fe0ddd565e2e"
+setup = """## Setup
+
+The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
+
+### Lateral Movement Detection Setup
+The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Lateral Movement Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- File events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Lateral Movement Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Unusual Remote File Extension
+
+The detection of unusual remote file extensions leverages machine learning to identify anomalies in file transfers, which may suggest lateral movement by adversaries. Attackers often exploit remote services to transfer files with uncommon extensions, bypassing standard security measures. This rule flags such anomalies, aiding in early detection of potential threats by correlating rare file extensions with known lateral movement tactics.
+
+### Possible investigation steps
+
+- Review the alert details to identify the specific file extension and the source and destination of the file transfer.
+- Check the historical data for the identified file extension to determine if it has been used previously in legitimate activities or if it is indeed rare.
+- Investigate the source host to identify any recent changes or suspicious activities, such as new user accounts or unusual login patterns.
+- Examine the destination host for any signs of compromise or unauthorized access, focusing on recent file modifications or unexpected processes.
+- Correlate the file transfer event with other security alerts or logs to identify potential patterns of lateral movement or exploitation of remote services.
+- Consult threat intelligence sources to determine if the rare file extension is associated with known malware or adversary tactics.
+
+### False positive analysis
+
+- Common internal file transfers with rare extensions may trigger false positives. Review and whitelist known benign file extensions used by internal applications or processes.
+- Automated backup or synchronization tools might use uncommon file extensions. Identify these tools and create exceptions for their typical file extensions to prevent unnecessary alerts.
+- Development environments often generate files with unique extensions. Collaborate with development teams to understand these patterns and exclude them from detection if they are verified as non-threatening.
+- Security tools or scripts that transfer diagnostic or log files with unusual extensions can be mistaken for lateral movement. Document these tools and adjust the rule to ignore their specific file extensions.
+- Regularly review and update the list of excluded extensions to ensure it reflects current operational practices and does not inadvertently allow malicious activity.
+
+### Response and remediation
+
+- Isolate the affected host immediately to prevent further lateral movement and contain the potential threat.
+- Review and terminate any suspicious remote sessions or connections identified on the host to cut off unauthorized access.
+- Conduct a thorough scan of the affected system for malware or unauthorized software that may have been transferred using the unusual file extension.
+- Restore the affected system from a known good backup if any malicious activity or compromise is confirmed.
+- Update and patch all software and systems on the affected host to close any vulnerabilities that may have been exploited.
+- Monitor network traffic for any further unusual file transfers or connections, focusing on rare file extensions and remote service exploitation patterns.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_from_a_source_ip.toml

@@ -0,0 +1,103 @@
+[metadata]
+creation_date = "2023/10/12"
+integration = ["lmd", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+A machine learning job has detected a high count of destination IPs establishing an RDP connection with a single source
+IP. Once an attacker has gained access to one system, they might attempt to access more in the network in search of
+valuable assets, data, or further access points.
+"""
+from = "now-12h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "lmd_high_rdp_distinct_count_destination_ip_for_source"
+name = "Spike in Number of Connections Made from a Source IP"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/lmd",
+    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
+    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
+]
+risk_score = 21
+rule_id = "3e0561b5-3fac-4461-84cc-19163b9aaa61"
+setup = """## Setup
+
+The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
+
+### Lateral Movement Detection Setup
+The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Lateral Movement Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Lateral Movement Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Spike in Number of Connections Made from a Source IP
+
+Remote Desktop Protocol (RDP) is a common tool for remote management, but adversaries exploit it for lateral movement within networks. By establishing numerous connections from a single IP, attackers seek to expand their access. This detection rule leverages machine learning to identify unusual spikes in RDP connections, signaling potential unauthorized access attempts, and aids in early threat identification.
+
+### Possible investigation steps
+
+- Review the source IP address to determine if it is a known or trusted entity within the network.
+- Analyze the list of destination IPs to identify any unusual or unauthorized systems being accessed.
+- Check the timestamps of the connections to see if they align with expected activity patterns or occur during unusual hours.
+- Investigate the user account associated with the RDP connections to verify if it has been compromised or is being misused.
+- Correlate the spike in connections with any recent changes or incidents in the network that might explain the activity.
+- Examine network logs and RDP session logs for any signs of suspicious behavior or anomalies during the connection attempts.
+
+### False positive analysis
+
+- Routine administrative tasks can trigger spikes in RDP connections. Regularly scheduled maintenance or software updates may cause a high number of connections from a single IP. To manage this, identify and whitelist IPs associated with known administrative activities.
+- Automated scripts or tools used for network management might establish multiple RDP connections. Review and document these tools, then create exceptions for their IP addresses to prevent false alerts.
+- Load balancers or proxy servers can appear as a single source IP making numerous connections. Verify the network architecture and exclude these IPs from the rule to avoid misidentification.
+- Security scans or vulnerability assessments conducted by internal teams can result in a spike of connections. Coordinate with security teams to recognize these activities and exclude their IPs from triggering the rule.
+- Remote work solutions or VPNs might centralize connections through a single IP, leading to false positives. Identify these IPs and adjust the rule to accommodate legitimate remote access patterns.
+
+### Response and remediation
+
+- Isolate the affected system immediately to prevent further lateral movement within the network. Disconnect it from the network or place it in a quarantine VLAN.
+- Terminate any unauthorized RDP sessions originating from the identified source IP to halt ongoing unauthorized access attempts.
+- Conduct a thorough review of the affected system for signs of compromise, including checking for unauthorized user accounts, changes in system configurations, and the presence of malware or suspicious files.
+- Reset credentials for any accounts accessed via the compromised system to prevent further unauthorized access using stolen credentials.
+- Implement network segmentation to limit RDP access to only necessary systems and users, reducing the attack surface for lateral movement.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
+- Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes, ensuring early detection of future attempts."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+

nldcsc_elastic_rules/rules/integrations/lmd/lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml

@@ -0,0 +1,102 @@
+[metadata]
+creation_date = "2023/10/12"
+integration = ["lmd", "endpoint"]
+maturity = "production"
+updated_date = "2025/01/15"
+
+[rule]
+anomaly_threshold = 70
+author = ["Elastic"]
+description = """
+A machine learning job has detected a high count of source IPs establishing an RDP connection with a single destination
+IP. Attackers might use multiple compromised systems to attack a target to ensure redundancy in case a source IP gets
+detected and blocked.
+"""
+from = "now-12h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "lmd_high_rdp_distinct_count_source_ip_for_destination"
+name = "Spike in Number of Connections Made to a Destination IP"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/lmd",
+    "https://www.elastic.co/blog/detecting-lateral-movement-activity-a-new-kibana-integration",
+    "https://www.elastic.co/blog/remote-desktop-protocol-connections-elastic-security",
+]
+risk_score = 21
+rule_id = "18a5dd9a-e3fa-4996-99b1-ae533b8f27fc"
+setup = """## Setup
+
+The rule requires the Lateral Movement Detection integration assets to be installed, as well as file and Windows RDP process events collected by the Elastic Defend integration.
+
+### Lateral Movement Detection Setup
+The Lateral Movement Detection integration detects lateral movement activity by identifying abnormalities in file and Windows RDP events. Anomalies are detected using Elastic's Anomaly Detection feature.
+
+#### Prerequisite Requirements:
+- Fleet is required for Lateral Movement Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows RDP process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration.
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+
+#### The following steps should be executed to install assets associated with the Lateral Movement Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Lateral Movement Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Lateral Movement Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Lateral Movement",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Spike in Number of Connections Made to a Destination IP
+
+Remote Desktop Protocol (RDP) is crucial for remote management and troubleshooting in IT environments. However, adversaries exploit RDP by using multiple compromised IPs to overwhelm a target, ensuring persistence even if some IPs are blocked. The detection rule leverages machine learning to identify unusual spikes in RDP connections to a single IP, signaling potential lateral movement attempts by attackers.
+
+### Possible investigation steps
+
+- Review the list of source IPs that have established RDP connections to the destination IP to identify any known malicious or suspicious IP addresses.
+- Check historical data for the destination IP to determine if it has been targeted in previous attacks or if it is a high-value asset within the network.
+- Analyze the timing and frequency of the RDP connections to identify any unusual patterns or spikes that could indicate coordinated activity.
+- Investigate the user accounts associated with the RDP connections to ensure they are legitimate and have not been compromised.
+- Correlate the detected activity with any other security alerts or logs to identify potential lateral movement or further exploitation attempts within the network.
+
+### False positive analysis
+
+- Routine administrative tasks may trigger false positives if multiple IT staff connect to a server for maintenance. Consider creating exceptions for known administrative IPs.
+- Automated scripts or monitoring tools that frequently connect to servers for health checks can cause spikes. Identify and exclude these IPs from the rule.
+- Load balancers or proxy servers that aggregate connections from multiple clients might appear as a spike. Exclude these devices from the detection rule.
+- Scheduled software updates or deployments that require multiple connections to a server can be mistaken for an attack. Whitelist the IPs involved in these processes.
+- Internal network scans or vulnerability assessments conducted by security teams can generate high connection counts. Ensure these activities are recognized and excluded.
+
+### Response and remediation
+
+- Immediately isolate the affected destination IP from the network to prevent further unauthorized RDP connections and potential lateral movement.
+- Conduct a thorough review of the logs and network traffic associated with the destination IP to identify all source IPs involved in the spike and assess the scope of the compromise.
+- Block all identified malicious source IPs at the firewall or network perimeter to prevent further connections to the destination IP.
+- Reset credentials and enforce multi-factor authentication for accounts that were accessed via RDP to mitigate unauthorized access.
+- Perform a security assessment of the affected systems to identify any signs of compromise or unauthorized changes, and restore systems from clean backups if necessary.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or networks are affected.
+- Update and enhance monitoring rules to detect similar patterns of unusual RDP connection spikes in the future, ensuring quick identification and response to potential threats."""
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
+