Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score

A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/10/16"
  3integration = ["problemchild", "endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low
 11probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being
 12malicious.
 13"""
 14from = "now-10m"
 15index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score"
 19references = [
 20    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 21    "https://docs.elastic.co/en/integrations/problemchild",
 22    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
 23]
 24risk_score = 21
 25rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad"
 26setup = """## Setup
 27
 28The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
 29
 30### LotL Attack Detection Setup
 31The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
 32
 33#### Prerequisite Requirements:
 34- Fleet is required for LotL Attack Detection.
 35- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 36- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
 37- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 38- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
 39
 40#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 41- Go to the Kibana homepage. Under Management, click Integrations.
 42- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
 43- Follow the instructions under the **Installation** section.
 44- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
 45"""
 46severity = "low"
 47tags = [
 48    "OS: Windows",
 49    "Data Source: Elastic Endgame",
 50    "Use Case: Living off the Land Attack Detection",
 51    "Rule Type: ML",
 52    "Rule Type: Machine Learning",
 53    "Tactic: Defense Evasion",
 54    "Data Source: Elastic Defend",
 55    "Resources: Investigation Guide",
 56]
 57timestamp_override = "event.ingested"
 58type = "eql"
 59
 60query = '''
 61process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or
 62blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
 63'''
 64note = """## Triage and analysis
 65
 66> **Disclaimer**:
 67> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 68
 69### Investigating Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score
 70
 71The detection leverages a machine learning model to identify potentially suspicious Windows processes with a low likelihood of being malicious, focusing on defense evasion tactics like masquerading. Adversaries may exploit legitimate processes to bypass security measures. This rule flags such events, excluding known benign patterns, to highlight potential threats for further analysis.
 72
 73### Possible investigation steps
 74
 75- Review the process details where the problemchild.prediction is 1 and the prediction_probability is less than or equal to 0.98 to understand why the process was flagged as suspicious.
 76- Check if the process is listed in the blocklist_label as 1, indicating it has been identified as malicious by the model's blocklist.
 77- Investigate the command-line arguments of the process to identify any unusual or unexpected patterns, excluding known benign patterns such as those involving "C:\\WINDOWS\\temp\\nessus_*.txt" or "C:\\WINDOWS\\temp\\nessus_*.tmp".
 78- Correlate the flagged process with other system events or logs to determine if it is part of a larger pattern of suspicious activity, focusing on defense evasion tactics like masquerading.
 79- Assess the parent process and any child processes spawned by the suspicious process to identify potential lateral movement or further malicious activity.
 80- Consult threat intelligence sources to see if the process or its associated indicators have been reported in recent threat reports or advisories.
 81
 82### False positive analysis
 83
 84- Nessus scan files in the Windows temp directory may trigger false positives. Exclude paths like C:\\WINDOWS\\temp\\nessus_*.txt and C:\\WINDOWS\\temp\\nessus_*.tmp to prevent these benign events from being flagged.
 85- Legitimate software updates or installations might mimic suspicious behavior. Monitor and document regular update schedules to differentiate between expected and unexpected activities.
 86- System administration scripts that automate tasks can appear suspicious. Identify and whitelist these scripts if they are part of routine operations to avoid unnecessary alerts.
 87- Custom in-house applications may not be recognized by the model. Work with IT to catalog these applications and create exceptions where necessary to reduce false positives.
 88- Regularly review and update the blocklist and exception rules to ensure they reflect the current environment and known benign activities.
 89
 90### Response and remediation
 91
 92- Isolate the affected system from the network to prevent potential lateral movement by the adversary exploiting the masquerading technique.
 93- Terminate the suspicious process identified by the machine learning model to halt any ongoing malicious activity.
 94- Conduct a thorough review of the process's parent and child processes to identify any additional suspicious activities or related processes that may require termination.
 95- Restore the system from a known good backup if any malicious activity is confirmed, ensuring that the backup is free from compromise.
 96- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
 97- Implement enhanced monitoring for similar masquerading attempts by adjusting alert thresholds or adding specific indicators of compromise (IOCs) related to the detected event.
 98- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected."""
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1036"
105name = "Masquerading"
106reference = "https://attack.mitre.org/techniques/T1036/"
107[[rule.threat.technique.subtechnique]]
108id = "T1036.004"
109name = "Masquerade Task or Service"
110reference = "https://attack.mitre.org/techniques/T1036/004/"
111
112
113
114[rule.threat.tactic]
115id = "TA0005"
116name = "Defense Evasion"
117reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score

The detection leverages a machine learning model to identify potentially suspicious Windows processes with a low likelihood of being malicious, focusing on defense evasion tactics like masquerading. Adversaries may exploit legitimate processes to bypass security measures. This rule flags such events, excluding known benign patterns, to highlight potential threats for further analysis.

Possible investigation steps

  • Review the process details where the problemchild.prediction is 1 and the prediction_probability is less than or equal to 0.98 to understand why the process was flagged as suspicious.
  • Check if the process is listed in the blocklist_label as 1, indicating it has been identified as malicious by the model's blocklist.
  • Investigate the command-line arguments of the process to identify any unusual or unexpected patterns, excluding known benign patterns such as those involving "C:\WINDOWS\temp\nessus_.txt" or "C:\WINDOWS\temp\nessus_.tmp".
  • Correlate the flagged process with other system events or logs to determine if it is part of a larger pattern of suspicious activity, focusing on defense evasion tactics like masquerading.
  • Assess the parent process and any child processes spawned by the suspicious process to identify potential lateral movement or further malicious activity.
  • Consult threat intelligence sources to see if the process or its associated indicators have been reported in recent threat reports or advisories.

False positive analysis

  • Nessus scan files in the Windows temp directory may trigger false positives. Exclude paths like C:\WINDOWS\temp\nessus_.txt and C:\WINDOWS\temp\nessus_.tmp to prevent these benign events from being flagged.
  • Legitimate software updates or installations might mimic suspicious behavior. Monitor and document regular update schedules to differentiate between expected and unexpected activities.
  • System administration scripts that automate tasks can appear suspicious. Identify and whitelist these scripts if they are part of routine operations to avoid unnecessary alerts.
  • Custom in-house applications may not be recognized by the model. Work with IT to catalog these applications and create exceptions where necessary to reduce false positives.
  • Regularly review and update the blocklist and exception rules to ensure they reflect the current environment and known benign activities.

Response and remediation

  • Isolate the affected system from the network to prevent potential lateral movement by the adversary exploiting the masquerading technique.
  • Terminate the suspicious process identified by the machine learning model to halt any ongoing malicious activity.
  • Conduct a thorough review of the process's parent and child processes to identify any additional suspicious activities or related processes that may require termination.
  • Restore the system from a known good backup if any malicious activity is confirmed, ensuring that the backup is free from compromise.
  • Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
  • Implement enhanced monitoring for similar masquerading attempts by adjusting alert thresholds or adding specific indicators of compromise (IOCs) related to the detected event.
  • Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected.

References

Related rules

to-top