Elastic Security Detection Rules

Unusual Remote File Size

Last updated 7 months ago on 2025-01-15
Created 2 years ago on 2023-10-12

About

A machine learning job has detected an unusually high file size shared by a remote host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Instead of multiple small transfers that can raise alarms, attackers might choose to bundle data into a single large file transfer.
Tags
Use Case: Lateral Movement DetectionRule Type: MLRule Type: Machine LearningTactic: Lateral Movement
Severity
low
Risk Score
21
MITRE ATT&CK™

Lateral Movement (TA0008)(opens in a new tab or window)

Exploitation of Remote Services (T1210)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Machine Learning
Integration Pack
Prebuilt Security Detection Rules
Related Integrations

lmd(opens in a new tab or window)

endpoint(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Remote File Size in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).