Unusual Process Spawned by a User
A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/16"
3integration = ["problemchild", "endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two
14ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given
15that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a
16process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to
17detection using conventional search rules.
18"""
19from = "now-45m"
20interval = "15m"
21license = "Elastic License v2"
22machine_learning_job_id = "problem_child_rare_process_by_user"
23name = "Unusual Process Spawned by a User"
24references = [
25 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
26 "https://docs.elastic.co/en/integrations/problemchild",
27 "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
28]
29risk_score = 21
30rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb"
31setup = """## Setup
32
33The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
34
35### LotL Attack Detection Setup
36The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
37
38#### Prerequisite Requirements:
39- Fleet is required for LotL Attack Detection.
40- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
41- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
42- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
43- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
44
45#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
46- Go to the Kibana homepage. Under Management, click Integrations.
47- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
48- Follow the instructions under the **Installation** section.
49- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
50"""
51severity = "low"
52tags = [
53 "Domain: Endpoint",
54 "OS: Windows",
55 "Use Case: Living off the Land Attack Detection",
56 "Rule Type: ML",
57 "Rule Type: Machine Learning",
58 "Tactic: Defense Evasion",
59 "Resources: Investigation Guide",
60]
61type = "machine_learning"
62note = """## Triage and analysis
63
64> **Disclaimer**:
65> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
66
67### Investigating Unusual Process Spawned by a User
68
69The detection of unusual processes spawned by users leverages machine learning to identify anomalies in user behavior and process execution. Adversaries often exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag processes that deviate from typical user activity, indicating potential misuse or masquerading tactics.
70
71### Possible investigation steps
72
73- Review the user context associated with the alert to determine if the user has a history of spawning unusual processes or if this is an isolated incident.
74- Examine the specific process flagged by the alert, including its command line arguments, parent process, and any associated network activity, to identify potential indicators of compromise.
75- Check for the presence of known LOLbins or other legitimate tools that may have been exploited, as indicated by the alert's focus on defense evasion tactics.
76- Investigate any recent changes in the user's behavior or system configuration that could explain the anomaly, such as software updates or new application installations.
77- Correlate the alert with other security events or logs from the same timeframe to identify any related suspicious activities or patterns.
78- Assess the risk score and severity level in the context of the organization's threat landscape to prioritize the response and determine if further action is needed.
79
80### False positive analysis
81
82- Legitimate administrative tools may trigger false positives if they are used in atypical contexts. Users should review the context of the process execution and, if deemed safe, add these tools to an exception list to prevent future alerts.
83- Scheduled tasks or scripts that run infrequently might be flagged as unusual. Verify the legitimacy of these tasks and consider excluding them if they are part of regular maintenance or updates.
84- Software updates or installations can spawn processes that appear anomalous. Confirm the source and purpose of these updates, and if they are routine, create exceptions for these specific processes.
85- Developers or IT personnel using command-line tools for legitimate purposes may trigger alerts. Evaluate the necessity of these tools in their workflow and whitelist them if they are consistently used in a non-malicious manner.
86- New or infrequently used applications might be flagged due to lack of historical data. Assess the application's legitimacy and, if appropriate, add it to a list of known safe applications to reduce false positives.
87
88### Response and remediation
89
90- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
91- Terminate the suspicious process identified by the alert to halt any ongoing malicious activity.
92- Conduct a thorough review of the user's recent activity and access logs to identify any unauthorized actions or data access.
93- Reset the credentials of the affected user account to prevent further unauthorized access, ensuring that strong, unique passwords are used.
94- Scan the system for additional indicators of compromise, such as other unusual processes or modifications to system files, and remove any identified threats.
95- Restore the system from a known good backup if any critical system files or configurations have been altered.
96- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
97[[rule.threat]]
98framework = "MITRE ATT&CK"
99[[rule.threat.technique]]
100id = "T1036"
101name = "Masquerading"
102reference = "https://attack.mitre.org/techniques/T1036/"
103
104
105[rule.threat.tactic]
106id = "TA0005"
107name = "Defense Evasion"
108reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Unusual Process Spawned by a User
The detection of unusual processes spawned by users leverages machine learning to identify anomalies in user behavior and process execution. Adversaries often exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag processes that deviate from typical user activity, indicating potential misuse or masquerading tactics.
Possible investigation steps
- Review the user context associated with the alert to determine if the user has a history of spawning unusual processes or if this is an isolated incident.
- Examine the specific process flagged by the alert, including its command line arguments, parent process, and any associated network activity, to identify potential indicators of compromise.
- Check for the presence of known LOLbins or other legitimate tools that may have been exploited, as indicated by the alert's focus on defense evasion tactics.
- Investigate any recent changes in the user's behavior or system configuration that could explain the anomaly, such as software updates or new application installations.
- Correlate the alert with other security events or logs from the same timeframe to identify any related suspicious activities or patterns.
- Assess the risk score and severity level in the context of the organization's threat landscape to prioritize the response and determine if further action is needed.
False positive analysis
- Legitimate administrative tools may trigger false positives if they are used in atypical contexts. Users should review the context of the process execution and, if deemed safe, add these tools to an exception list to prevent future alerts.
- Scheduled tasks or scripts that run infrequently might be flagged as unusual. Verify the legitimacy of these tasks and consider excluding them if they are part of regular maintenance or updates.
- Software updates or installations can spawn processes that appear anomalous. Confirm the source and purpose of these updates, and if they are routine, create exceptions for these specific processes.
- Developers or IT personnel using command-line tools for legitimate purposes may trigger alerts. Evaluate the necessity of these tools in their workflow and whitelist them if they are consistently used in a non-malicious manner.
- New or infrequently used applications might be flagged due to lack of historical data. Assess the application's legitimacy and, if appropriate, add it to a list of known safe applications to reduce false positives.
Response and remediation
- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
- Terminate the suspicious process identified by the alert to halt any ongoing malicious activity.
- Conduct a thorough review of the user's recent activity and access logs to identify any unauthorized actions or data access.
- Reset the credentials of the affected user account to prevent further unauthorized access, ensuring that strong, unique passwords are used.
- Scan the system for additional indicators of compromise, such as other unusual processes or modifications to system files, and remove any identified threats.
- Restore the system from a known good backup if any critical system files or configurations have been altered.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
References
Related rules
- Suspicious Windows Process Cluster Spawned by a Parent Process
- Suspicious Windows Process Cluster Spawned by a User
- Unusual Process Spawned by a Host
- Unusual Process Spawned by a Parent Process
- Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score