IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Spike in Bytes Sent to an External Device via Airdrop Machine Learning Detected DGA activity using a known SUNBURST DNS domain »

› ›

Unusual Process Writing Data to an External Device

edit

Unusual Process Writing Data to an External Device

edit

A machine learning job has detected a rare process writing data to an external device. Malicious actors often use benign-looking processes to mask their data exfiltration activities. The discovery of such a process that has no legitimate reason to write data to external devices can indicate exfiltration.

Rule type: machine_learning

Rule indices: None

Severity: low

Risk score: 21

Runs every: 15m

Searches indices from: now-2h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Use Case: Data Exfiltration Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Exfiltration

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Exfiltration
- ID: TA0010
- Reference URL: https://attack.mitre.org/tactics/TA0010/
Technique:
- Name: Exfiltration Over Physical Medium
- ID: T1052
- Reference URL: https://attack.mitre.org/techniques/T1052/

« Spike in Bytes Sent to an External Device via Airdrop Machine Learning Detected DGA activity using a known SUNBURST DNS domain »