Unusual Process Spawned by a Host
A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/09/19"
3integration = ["problemchild", "endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two
14ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual
15process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious
16or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
17"""
18from = "now-45m"
19interval = "15m"
20license = "Elastic License v2"
21machine_learning_job_id = "problem_child_rare_process_by_host"
22name = "Unusual Process Spawned by a Host"
23references = [
24 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
25 "https://docs.elastic.co/en/integrations/problemchild",
26 "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
27]
28risk_score = 21
29rule_id = "56004189-4e69-4a39-b4a9-195329d226e9"
30setup = """## Setup
31
32The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
33
34### LotL Attack Detection Setup
35The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
36
37#### Prerequisite Requirements:
38- Fleet is required for LotL Attack Detection.
39- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
40- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
41- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
42- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
43
44#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
45- Go to the Kibana homepage. Under Management, click Integrations.
46- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
47- Follow the instructions under the **Installation** section.
48- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
49"""
50severity = "low"
51tags = [
52 "Domain: Endpoint",
53 "OS: Windows",
54 "Use Case: Living off the Land Attack Detection",
55 "Rule Type: ML",
56 "Rule Type: Machine Learning",
57 "Tactic: Defense Evasion",
58 "Resources: Investigation Guide",
59]
60type = "machine_learning"
61note = """## Triage and analysis
62
63> **Disclaimer**:
64> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
65
66### Investigating Unusual Process Spawned by a Host
67
68The detection rule leverages machine learning to identify atypical processes on Windows systems, focusing on those that deviate from normal behavior. Adversaries often exploit legitimate system tools, known as LOLbins, to evade detection. This rule uses the ProblemChild ML model to flag processes that are both statistically unusual and potentially malicious, enhancing detection of stealthy attacks that bypass traditional methods.
69
70### Possible investigation steps
71
72- Review the process details flagged by the ProblemChild ML model, including the process name, path, and command line arguments, to understand its nature and potential purpose.
73- Check the parent process of the flagged process to determine if it was spawned by a legitimate application or a known LOLbin, which might indicate a Living off the Land attack.
74- Investigate the host's historical activity to assess whether this process or similar ones have been executed previously, focusing on any patterns of unusual behavior.
75- Correlate the process activity with user logins and network connections to identify any suspicious user behavior or external communications that coincide with the process execution.
76- Examine the system's security logs for any related alerts or anomalies around the time the process was detected, which might provide additional context or evidence of malicious activity.
77
78### False positive analysis
79
80- Routine administrative tasks may trigger false positives if they involve unusual processes or tools not commonly used on the host. Users can create exceptions for these known tasks to prevent unnecessary alerts.
81- Software updates or installations can spawn processes that are atypical but benign. Identifying and excluding these processes during known maintenance windows can reduce false positives.
82- Custom scripts or automation tools that mimic LOLbins behavior might be flagged. Users should document and whitelist these scripts if they are verified as safe and necessary for operations.
83- Legitimate third-party applications that use system binaries in uncommon ways may be misclassified. Regularly review and update the list of approved applications to ensure they are not mistakenly flagged.
84- Temporary spikes in unusual processes due to legitimate business activities, such as end-of-quarter reporting, can be managed by adjusting the detection thresholds or temporarily disabling the rule during these periods.
85
86### Response and remediation
87
88- Isolate the affected host from the network to prevent further spread or communication with potential command and control servers.
89- Terminate the suspicious process identified by the ProblemChild ML model to halt any ongoing malicious activity.
90- Conduct a thorough review of the process's parent and child processes to identify any additional malicious activity or persistence mechanisms.
91- Remove any identified LOLbins or unauthorized tools used by the adversary from the system to prevent further exploitation.
92- Restore the affected system from a known good backup if any system integrity issues are detected.
93- Update endpoint protection and monitoring tools to ensure they can detect similar threats in the future, focusing on the specific techniques used in this incident.
94- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected."""
95[[rule.threat]]
96framework = "MITRE ATT&CK"
97[[rule.threat.technique]]
98id = "T1218"
99name = "System Binary Proxy Execution"
100reference = "https://attack.mitre.org/techniques/T1218/"
101
102
103[rule.threat.tactic]
104id = "TA0005"
105name = "Defense Evasion"
106reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual Process Spawned by a Host
The detection rule leverages machine learning to identify atypical processes on Windows systems, focusing on those that deviate from normal behavior. Adversaries often exploit legitimate system tools, known as LOLbins, to evade detection. This rule uses the ProblemChild ML model to flag processes that are both statistically unusual and potentially malicious, enhancing detection of stealthy attacks that bypass traditional methods.
Possible investigation steps
- Review the process details flagged by the ProblemChild ML model, including the process name, path, and command line arguments, to understand its nature and potential purpose.
- Check the parent process of the flagged process to determine if it was spawned by a legitimate application or a known LOLbin, which might indicate a Living off the Land attack.
- Investigate the host's historical activity to assess whether this process or similar ones have been executed previously, focusing on any patterns of unusual behavior.
- Correlate the process activity with user logins and network connections to identify any suspicious user behavior or external communications that coincide with the process execution.
- Examine the system's security logs for any related alerts or anomalies around the time the process was detected, which might provide additional context or evidence of malicious activity.
False positive analysis
- Routine administrative tasks may trigger false positives if they involve unusual processes or tools not commonly used on the host. Users can create exceptions for these known tasks to prevent unnecessary alerts.
- Software updates or installations can spawn processes that are atypical but benign. Identifying and excluding these processes during known maintenance windows can reduce false positives.
- Custom scripts or automation tools that mimic LOLbins behavior might be flagged. Users should document and whitelist these scripts if they are verified as safe and necessary for operations.
- Legitimate third-party applications that use system binaries in uncommon ways may be misclassified. Regularly review and update the list of approved applications to ensure they are not mistakenly flagged.
- Temporary spikes in unusual processes due to legitimate business activities, such as end-of-quarter reporting, can be managed by adjusting the detection thresholds or temporarily disabling the rule during these periods.
Response and remediation
- Isolate the affected host from the network to prevent further spread or communication with potential command and control servers.
- Terminate the suspicious process identified by the ProblemChild ML model to halt any ongoing malicious activity.
- Conduct a thorough review of the process's parent and child processes to identify any additional malicious activity or persistence mechanisms.
- Remove any identified LOLbins or unauthorized tools used by the adversary from the system to prevent further exploitation.
- Restore the affected system from a known good backup if any system integrity issues are detected.
- Update endpoint protection and monitoring tools to ensure they can detect similar threats in the future, focusing on the specific techniques used in this incident.
- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are affected.
References
Related rules
- Suspicious Windows Process Cluster Spawned by a Parent Process
- Suspicious Windows Process Cluster Spawned by a User
- Unusual Process Spawned by a Parent Process
- Unusual Process Spawned by a User
- Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score