Suspicious Windows Process Cluster from Parent Process via Machine Learning

This alert leverages Elastic’s ProblemChild integration to detect potential Living off the Land (LotL) attacks on Windows systems. The rule utilizes a combination of supervised and unsupervised machine learning models to identify parent processes spawning clusters of suspicious child processes. These child processes are flagged as having unusually high malicious probability scores, suggesting the use of LOLBins or other defense evasion techniques. The detection focuses on identifying groups of processes with the same parent process name where the aggregated malicious score for the cluster is unusually high, as determined by an unsupervised machine learning model. The rule is active as of October 2023, with updates through April 2026 and requires Elastic Stack version 9.4.0 or later.

Attack Chain

1. An attacker gains initial access to a Windows system through various means.
2. The attacker leverages a legitimate, signed Windows binary (LOLBin) such as powershell.exe or cmd.exe.
3. The LOLBin is used to execute malicious code or commands.
4. The LOLBin spawns one or more child processes that perform malicious actions like reconnaissance or lateral movement.
5. The ProblemChild supervised ML model flags the child processes as having a high malicious probability score.
6. The unsupervised ML model calculates an unusually high aggregate score for the cluster of child processes originating from the same parent process.
7. The detection rule triggers, identifying the suspicious parent-child process relationship.
8. The attacker achieves their objective, such as data exfiltration or persistence.

Impact

A successful attack using LOLBins can allow adversaries to bypass traditional signature-based detections and operate undetected within a network. The masquerading of malicious activity as legitimate system processes makes it difficult for security teams to identify and respond to threats effectively. The impact can range from data theft and system compromise to ransomware deployment, depending on the attacker’s objectives. The machine learning detection helps analysts to prioritize alerts which may otherwise be missed.

Recommendation

• Ensure the Living off the Land (LotL) Attack Detection integration assets are installed within Elastic Security, as described in the “Setup” section of this brief.
• Investigate any alerts generated by the “Parent Process Detected with Suspicious Windows Process(es)” rule, focusing on the parent process name and the command-line arguments of the suspicious child processes (reference: Investigation Guide in the rule’s note field).
• Tune the anomaly_threshold value (currently 75) in the rule configuration based on your environment’s baseline activity to reduce false positives.
• Whitelisting parent process names can mitigate false positives generated by legitimate administrative tools. (reference: False positive analysis in the rule’s note field)
• Enable Windows process creation logging via Elastic Defend or Winlogbeat to ensure the rule has the necessary data to function (reference: Setup section).