heroui logo

Unusual Windows Process Calling the Metadata Service

Elastic Detection Rules

View Source
Summary
The detection rule named "Unusual Windows Process Calling the Metadata Service" aims to identify anomalous access to the metadata service by identifying unusual processes accessing it. This is pivotal as the metadata service can be a target for attackers wishing to obtain sensitive information such as credentials and configurations. The rule employs machine learning techniques to analyze process behavior over a defined recent timeframe, specifically the past 45 minutes. If machine learning jobs have been set up correctly, the rule can automatically trigger alerts when it detects a process that significantly deviates from established baselines, indicating potential malicious activity. False positives can occur with rarely used legitimate processes or newly installed software that is conducting routine tasks. Hence, a thorough investigation process is outlined, recommending steps like reviewing process names and connections, as well as checking user authority and behavior prior to the alert. In cases of confirmed threats, the recommended responses include system isolation, credential changes, and incident escalation to a SOC.
Categories
  • Windows
  • Endpoint
  • Cloud
Data Sources
  • Process
  • Network Traffic
  • Application Log
ATT&CK Techniques
  • T1552
  • T1552.005
Created: 2020-09-22