Suspicious Windows Process Cluster Spawned by a Parent Process

A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/10/16"
  3integration = ["problemchild", "endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10anomaly_threshold = 75
 11author = ["Elastic"]
 12description = """
 13A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high
 14scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es)
 15were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious
 16processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to
 17be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly
 18involving LOLbins, that may be resistant to detection using conventional search rules.
 19"""
 20from = "now-45m"
 21interval = "15m"
 22license = "Elastic License v2"
 23machine_learning_job_id = "problem_child_high_sum_by_parent"
 24name = "Suspicious Windows Process Cluster Spawned by a Parent Process"
 25references = [
 26    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
 27    "https://docs.elastic.co/en/integrations/problemchild",
 28    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
 29]
 30risk_score = 21
 31rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0"
 32setup = """## Setup
 33
 34The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
 35
 36### LotL Attack Detection Setup
 37The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
 38
 39#### Prerequisite Requirements:
 40- Fleet is required for LotL Attack Detection.
 41- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 42- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
 43- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 44- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
 45
 46#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
 47- Go to the Kibana homepage. Under Management, click Integrations.
 48- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
 49- Follow the instructions under the **Installation** section.
 50- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
 51"""
 52severity = "low"
 53tags = [
 54    "Domain: Endpoint",
 55    "OS: Windows",
 56    "Use Case: Living off the Land Attack Detection",
 57    "Rule Type: ML",
 58    "Rule Type: Machine Learning",
 59    "Tactic: Defense Evasion",
 60    "Resources: Investigation Guide",
 61]
 62type = "machine_learning"
 63note = """## Triage and analysis
 64
 65> **Disclaimer**:
 66> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 67
 68### Investigating Suspicious Windows Process Cluster Spawned by a Parent Process
 69
 70In Windows environments, processes are often spawned by parent processes, forming a hierarchy. Adversaries exploit this by using legitimate processes to launch malicious ones, often leveraging Living off the Land Binaries (LOLBins) to evade detection. The detection rule employs machine learning to identify clusters of processes with high malicious probability, focusing on those sharing a common parent process. This approach helps uncover stealthy attacks that traditional methods might miss, enhancing defense against tactics like masquerading.
 71
 72### Possible investigation steps
 73
 74- Review the parent process name associated with the suspicious process cluster to identify if it is a known legitimate process or a potential masquerading attempt.
 75- Examine the command line arguments and execution context of the suspicious processes to identify any use of LOLBins or unusual patterns that could indicate malicious activity.
 76- Check the process creation timestamps and correlate them with any known events or user activities to determine if the process execution aligns with expected behavior.
 77- Investigate the network activity of the suspicious processes to identify any unusual outbound connections or data exfiltration attempts.
 78- Analyze the user account context under which the suspicious processes were executed to determine if there is any indication of compromised credentials or privilege escalation.
 79- Cross-reference the detected processes with threat intelligence sources to identify any known indicators of compromise or related threat actor activity.
 80
 81### False positive analysis
 82
 83- Legitimate administrative tools may trigger false positives if they frequently spawn processes that resemble malicious activity. Users can create exceptions for known safe tools by whitelisting their parent process names.
 84- Software updates or installations often generate clusters of processes that might be flagged as suspicious. Users should monitor these activities and exclude them if they are verified as legitimate.
 85- Automated scripts or batch jobs that run regularly and spawn multiple processes can be mistaken for malicious clusters. Identifying these scripts and excluding their parent processes can reduce false positives.
 86- Security software or monitoring tools that perform regular scans or updates might mimic malicious behavior. Users should ensure these tools are recognized and excluded from the rule's scope.
 87- Custom business applications that are not widely recognized might be flagged. Users should document and exclude these applications if they are confirmed to be safe and necessary for operations.
 88
 89### Response and remediation
 90
 91- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity.
 92- Terminate the suspicious processes identified by the alert to stop any malicious actions they may be performing.
 93- Conduct a thorough review of the parent process and its associated binaries to ensure they have not been tampered with or replaced by malicious versions.
 94- Restore any affected files or system components from a known good backup to ensure system integrity and functionality.
 95- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary, focusing on those related to LOLBins and masquerading techniques.
 96- Monitor the system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms.
 97- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
 98[[rule.threat]]
 99framework = "MITRE ATT&CK"
100[[rule.threat.technique]]
101id = "T1036"
102name = "Masquerading"
103reference = "https://attack.mitre.org/techniques/T1036/"
104
105
106[rule.threat.tactic]
107id = "TA0005"
108name = "Defense Evasion"
109reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Suspicious Windows Process Cluster Spawned by a Parent Process

In Windows environments, processes are often spawned by parent processes, forming a hierarchy. Adversaries exploit this by using legitimate processes to launch malicious ones, often leveraging Living off the Land Binaries (LOLBins) to evade detection. The detection rule employs machine learning to identify clusters of processes with high malicious probability, focusing on those sharing a common parent process. This approach helps uncover stealthy attacks that traditional methods might miss, enhancing defense against tactics like masquerading.

Possible investigation steps

  • Review the parent process name associated with the suspicious process cluster to identify if it is a known legitimate process or a potential masquerading attempt.
  • Examine the command line arguments and execution context of the suspicious processes to identify any use of LOLBins or unusual patterns that could indicate malicious activity.
  • Check the process creation timestamps and correlate them with any known events or user activities to determine if the process execution aligns with expected behavior.
  • Investigate the network activity of the suspicious processes to identify any unusual outbound connections or data exfiltration attempts.
  • Analyze the user account context under which the suspicious processes were executed to determine if there is any indication of compromised credentials or privilege escalation.
  • Cross-reference the detected processes with threat intelligence sources to identify any known indicators of compromise or related threat actor activity.

False positive analysis

  • Legitimate administrative tools may trigger false positives if they frequently spawn processes that resemble malicious activity. Users can create exceptions for known safe tools by whitelisting their parent process names.
  • Software updates or installations often generate clusters of processes that might be flagged as suspicious. Users should monitor these activities and exclude them if they are verified as legitimate.
  • Automated scripts or batch jobs that run regularly and spawn multiple processes can be mistaken for malicious clusters. Identifying these scripts and excluding their parent processes can reduce false positives.
  • Security software or monitoring tools that perform regular scans or updates might mimic malicious behavior. Users should ensure these tools are recognized and excluded from the rule's scope.
  • Custom business applications that are not widely recognized might be flagged. Users should document and exclude these applications if they are confirmed to be safe and necessary for operations.

Response and remediation

  • Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity.
  • Terminate the suspicious processes identified by the alert to stop any malicious actions they may be performing.
  • Conduct a thorough review of the parent process and its associated binaries to ensure they have not been tampered with or replaced by malicious versions.
  • Restore any affected files or system components from a known good backup to ensure system integrity and functionality.
  • Update and patch the system to close any vulnerabilities that may have been exploited by the adversary, focusing on those related to LOLBins and masquerading techniques.
  • Monitor the system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.

References

Related rules

to-top