Elastic Security Detection Rules

Spike in Remote File Transfers

Last updated 7 months ago on 2025-01-15
Created 2 years ago on 2023-10-12

About

A machine learning job has detected an abnormal volume of remote files shared on the host indicating potential lateral movement activity. One of the primary goals of attackers after gaining access to a network is to locate and exfiltrate valuable information. Attackers might perform multiple small transfers to match normal egress activity in the network, to evade detection.
Tags
Use Case: Lateral Movement DetectionRule Type: MLRule Type: Machine LearningTactic: Lateral Movement
Severity
low
Risk Score
21
MITRE ATT&CK™

Lateral Movement (TA0008)(opens in a new tab or window)

Exploitation of Remote Services (T1210)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Machine Learning
Integration Pack
Prebuilt Security Detection Rules
Related Integrations

lmd(opens in a new tab or window)

endpoint(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Spike in Remote File Transfers in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).