Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/10/16"
3integration = ["problemchild","endpoint"]
4maturity = "production"
5min_stack_comments = "LotL package job ID and rule removal updates"
6min_stack_version = "8.9.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high
13probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being
14malicious.
15"""
16from = "now-10m"
17index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score"
21note = """## Setup
22
23The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
24"""
25references = [
26 "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
27 "https://docs.elastic.co/en/integrations/problemchild",
28 "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
29]
30risk_score = 21
31rule_id = "994e40aa-8c85-43de-825e-15f665375ee8"
32severity = "low"
33tags = [
34 "OS: Windows",
35 "Data Source: Elastic Endgame",
36 "Use Case: Living off the Land Attack Detection",
37 "Rule Type: ML",
38 "Rule Type: Machine Learning",
39 "Tactic: Defense Evasion",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or
46blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1036"
54name = "Masquerading"
55reference = "https://attack.mitre.org/techniques/T1036/"
56[[rule.threat.technique.subtechnique]]
57id = "T1036.004"
58name = "Masquerade Task or Service"
59reference = "https://attack.mitre.org/techniques/T1036/004/"
60
61
62
63[rule.threat.tactic]
64id = "TA0005"
65name = "Defense Evasion"
66reference = "https://attack.mitre.org/tactics/TA0005/"
Setup
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
References
Related rules
- Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity
- Suspicious Windows Process Cluster Spawned by a Parent Process
- Suspicious Windows Process Cluster Spawned by a User
- Unusual Process Spawned by a Host
- Unusual Process Spawned by a Parent Process