Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/16"
3integration = ["problemchild","endpoint"]
4maturity = "production"
5min_stack_comments = "LotL package job ID and rule removal updates"
6min_stack_version = "8.9.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high
13probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being
14malicious.
15"""
16from = "now-10m"
17index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score"
21note = """## Setup
22
23The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
24"""
25references = [
26 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
27 "https://docs.elastic.co/en/integrations/problemchild",
28 "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
29]
30risk_score = 21
31rule_id = "994e40aa-8c85-43de-825e-15f665375ee8"
32severity = "low"
33tags = [
34 "OS: Windows",
35 "Data Source: Elastic Endgame",
36 "Use Case: Living off the Land Attack Detection",
37 "Rule Type: ML",
38 "Rule Type: Machine Learning",
39 "Tactic: Defense Evasion",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or
46blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1036"
54name = "Masquerading"
55reference = "https://attack.mitre.org/techniques/T1036/"
56[[rule.threat.technique.subtechnique]]
57id = "T1036.004"
58name = "Masquerade Task or Service"
59reference = "https://attack.mitre.org/techniques/T1036/004/"
60
61
62
63[rule.threat.tactic]
64id = "TA0005"
65name = "Defense Evasion"
66reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
References
-
Prebuilt job referenceedit These anomaly detection jobs automatically detect file system and network anomalies on your hosts. They appear in the Anomaly Detection interface of the Elastic Security ...
Read More -
ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription.
Read More -
We added a Living off the land (LotL) detection package to the Integrations app in Kibana. In a single click, you can install and start using the ProblemChild model and associated assets including anomaly detection configurations and detection rules.
Read More
Related rules
- Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity
- Suspicious Windows Process Cluster Spawned by a Parent Process
- Suspicious Windows Process Cluster Spawned by a User
- Unusual Process Spawned by a Host
- Unusual Process Spawned by a Parent Process