Suspicious Windows Process Cluster Spawned by a User

A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/10/16"
 3integration = ["problemchild"]
 4maturity = "production"
 5min_stack_comments = "LotL package job ID and rule removal updates"
 6min_stack_version = "8.9.0"
 7updated_date = "2023/10/16"
 8
 9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high
14scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es)
15were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious
16processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be
17unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly
18involving LOLbins, that may be resistant to detection using conventional search rules.
19"""
20from = "now-45m"
21interval = "15m"
22license = "Elastic License v2"
23machine_learning_job_id = "problem_child_high_sum_by_user"
24name = "Suspicious Windows Process Cluster Spawned by a User"
25note = """## Setup
26
27The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
28"""
29references = [
30    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
31    "https://docs.elastic.co/en/integrations/problemchild",
32    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
33]
34risk_score = 21
35rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b"
36severity = "low"
37tags = [
38    "Domain: Endpoint",
39    "OS: Windows",
40    "Use Case: Living off the Land Attack Detection",
41    "Rule Type: ML",
42    "Rule Type: Machine Learning",
43    "Tactic: Defense Evasion",
44]
45type = "machine_learning"
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1036"
50name = "Masquerading"
51reference = "https://attack.mitre.org/techniques/T1036/"
52
53
54[rule.threat.tactic]
55id = "TA0005"
56name = "Defense Evasion"
57reference = "https://attack.mitre.org/tactics/TA0005/"

Setup

The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.

References

Related rules

to-top