Unusual Process Spawned by a Parent Process

  1[metadata]
  2creation_date = "2023/10/16"
  3integration = ["problemchild", "endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two
 14ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child
 15process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or
 16malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
 17"""
 18from = "now-45m"
 19interval = "15m"
 20license = "Elastic License v2"
 21machine_learning_job_id = "problem_child_rare_process_by_parent"
 22name = "Unusual Process Spawned by a Parent Process"
 23references = [
 24    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 25    "https://docs.elastic.co/en/integrations/problemchild",
 26    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
 27]
 28risk_score = 21
 29rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd"
 30setup = """## Setup
 31
 32The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
 33
 34### LotL Attack Detection Setup
 35The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
 36
 37#### Prerequisite Requirements:
 38- Fleet is required for LotL Attack Detection.
 39- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 40- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
 41- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 42- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
 43
 44#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 45- Go to the Kibana homepage. Under Management, click Integrations.
 46- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
 47- Follow the instructions under the **Installation** section.
 48- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 49"""
 50severity = "low"
 51tags = [
 52    "Domain: Endpoint",
 53    "OS: Windows",
 54    "Use Case: Living off the Land Attack Detection",
 55    "Rule Type: ML",
 56    "Rule Type: Machine Learning",
 57    "Tactic: Defense Evasion",
 58    "Resources: Investigation Guide",
 59]
 60type = "machine_learning"
 61note = """## Triage and analysis
 62
 63> **Disclaimer**:
 64> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 65
 66### Investigating Unusual Process Spawned by a Parent Process
 67
 68In Windows environments, processes are often spawned by parent processes to perform legitimate tasks. However, adversaries can exploit this by using legitimate tools, known as LOLbins, to execute malicious activities stealthily. The detection rule leverages machine learning to identify anomalies in process creation patterns, flagging processes that deviate from typical behavior, thus uncovering potential threats that evade traditional detection methods.
 69
 70### Possible investigation steps
 71
 72- Review the parent process and child process names to determine if they are known legitimate applications or if they are commonly associated with LOLbins or other malicious activities.
 73- Check the process creation time and correlate it with any known user activity or scheduled tasks to identify if the process execution aligns with expected behavior.
 74- Investigate the command line arguments used by the suspicious process to identify any unusual or potentially malicious commands or scripts being executed.
 75- Analyze the network activity associated with the process to detect any suspicious outbound connections or data exfiltration attempts.
 76- Examine the file path and hash of the executable to verify its legitimacy and check against known malware databases or threat intelligence sources.
 77- Review any recent changes to the system, such as software installations or updates, that might explain the unusual process behavior.
 78- Consult endpoint detection and response (EDR) logs or other security tools to gather additional context and evidence related to the process and its activities.
 79
 80### False positive analysis
 81
 82- Legitimate administrative tools like PowerShell or command prompt may be flagged when used for routine tasks. Users can create exceptions for these tools when executed by known and trusted parent processes.
 83- Software updates or installations often spawn processes that might appear unusual. Exclude these processes by identifying their typical parent-child relationships during updates.
 84- Custom scripts or automation tools used within the organization might trigger alerts. Document these scripts and their expected behavior to create exceptions for them.
 85- Frequent use of remote management tools can lead to false positives. Ensure these tools are whitelisted when used by authorized personnel.
 86- Regularly review and update the list of exceptions to accommodate changes in legitimate process behaviors over time.
 87
 88### Response and remediation
 89
 90- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
 91- Terminate the suspicious process identified by the alert to stop any ongoing malicious actions.
 92- Conduct a thorough analysis of the process and its parent to understand the scope of the compromise and identify any additional malicious activities or files.
 93- Remove any malicious files or artifacts associated with the process from the system to ensure complete remediation.
 94- Restore the system from a known good backup if the integrity of the system is compromised beyond repair.
 95- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary.
 96- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1036"
101name = "Masquerading"
102reference = "https://attack.mitre.org/techniques/T1036/"
103
104
105[rule.threat.tactic]
106id = "TA0005"
107name = "Defense Evasion"
108reference = "https://attack.mitre.org/tactics/TA0005/"