Unusual Process For a Windows Host via Machine Learning
This rule detects rare processes running on Windows hosts, potentially indicating unauthorized services, malware, or persistence mechanisms by using machine learning to identify processes that run infrequently compared to other processes on the same host.
This detection rule leverages machine learning to identify processes that are rarely executed on individual Windows hosts. The goal is to detect the execution of unauthorized services, malware, or persistence mechanisms. The rule focuses on processes that run occasionally compared to the baseline of other processes on the same host. This approach can help uncover suspicious behaviors that might be missed by traditional signature-based detections. It utilizes the 'v3_rare_process_by_host_windows' machine learning job and requires either Elastic Defend or Windows integration for data collection. The rule was last updated on 2026/02/27, indicating ongoing maintenance and relevance.
Attack Chain
- Initial Access (Likely): An attacker gains initial access to a Windows host through various methods such as phishing, exploitation of vulnerabilities, or stolen credentials (not directly covered in the source but a common precursor).
- Persistence: The attacker attempts to establish persistence by installing a malicious service or scheduling a task to run a payload. This ensures continued access even after a reboot.
- Execution: The malicious service or scheduled task executes a rare or unusual process on the host. This could involve running a custom malware executable or leveraging a built-in Windows tool in an unexpected way.
- Defense Evasion: The attacker may attempt to evade detection by renaming the malicious executable or placing it in a seemingly legitimate directory.
- Discovery: The attacker may use the compromised host to gather information about the network, other systems, and user accounts.
- Lateral Movement: Using the gathered information, the attacker attempts to move laterally to other systems on the network.
- Command and Control: The rare process may establish a connection to a command and control (C2) server to receive instructions from the attacker.
- Impact: The attacker achieves their objectives, such as data exfiltration, ransomware deployment, or system disruption.
Impact
Successful exploitation can lead to unauthorized access to sensitive data, system compromise, and potential disruption of business operations. The severity depends on the specific actions taken by the attacker after gaining a foothold on the system, ranging from data theft to complete system takeover. The number of victims and sectors targeted will vary depending on the attacker's objectives and the scope of the compromised environment.
Recommendation
- Enable either Elastic Defend or Windows integration to ensure proper data collection for the machine learning job (
machine_learning_job_id). - Review and tune the
false_positiveslist with user and command line conditions relevant to your environment. - Investigate the process execution chain of detected rare processes to identify the root cause of the unusual activity (reference the "Triage and analysis" section in the content).
- Use Osquery to examine the DNS cache, host services, and unsigned executables (
transform.osquery) to understand the context surrounding the rare process execution. - Implement response actions like isolating affected hosts and blocking indicators of compromise as described in the "Response and Remediation" section.
Detection coverage 2
Detecting Rare Process Execution on Windows Host
mediumDetects rare process executions on Windows hosts using process creation logs, which may indicate malware or unauthorized activity.
Detecting Unusual Service Creation
highDetects unusual service creation by monitoring registry modifications.
Detection queries are available on the platform. Get full rules →