Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score

A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/16"
 3integration = ["problemchild","endpoint"]
 4maturity = "production"
 5min_stack_comments = "LotL package job ID and rule removal updates"
 6min_stack_version = "8.9.0"
 7updated_date = "2023/10/23"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high
13probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being
14malicious.
15"""
16from = "now-10m"
17index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score"
21note = """## Setup
22
23The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
24"""
25references = [
26    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
27    "https://docs.elastic.co/en/integrations/problemchild",
28    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
29]
30risk_score = 21
31rule_id = "994e40aa-8c85-43de-825e-15f665375ee8"
32severity = "low"
33tags = [
34    "OS: Windows",
35    "Data Source: Elastic Endgame",
36    "Use Case: Living off the Land Attack Detection",
37    "Rule Type: ML",
38    "Rule Type: Machine Learning",
39    "Tactic: Defense Evasion",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or
46blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1036"
54name = "Masquerading"
55reference = "https://attack.mitre.org/techniques/T1036/"
56[[rule.threat.technique.subtechnique]]
57id = "T1036.004"
58name = "Masquerade Task or Service"
59reference = "https://attack.mitre.org/techniques/T1036/004/"
60
61
62
63[rule.threat.tactic]
64id = "TA0005"
65name = "Defense Evasion"
66reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.

References

Related rules

to-top