Suspicious Windows Process Cluster Detected from Parent Process

A machine learning job combination has identified a parent process with one or more suspicious Windows processes that exhibit unusually high malicious probability scores. The processes were predicted to be malicious by the ProblemChild supervised ML model and, when clustered, have an unusually high aggregate score according to an unsupervised ML model. This often indicates suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed and Windows process events collected by Elastic Defend or Winlogbeat.

Attack Chain

1. An attacker gains initial access to a Windows system via an unknown method (e.g., phishing, exploiting a vulnerability).
2. The attacker executes a legitimate Windows process (LOLBin) such as powershell.exe or cmd.exe.
3. The LOLBin is used to execute a malicious payload or script.
4. The malicious script spawns additional processes with the same parent process name, creating a process cluster.
5. The ProblemChild ML model identifies these spawned processes as having high malicious probability scores.
6. An unsupervised ML model detects the aggregate score of the process cluster as unusually high.
7. The attacker leverages the spawned processes to perform malicious activities, such as data exfiltration or lateral movement.

Impact

Successful exploitation can lead to undetected malicious activity on a Windows endpoint. This may allow attackers to evade traditional signature-based detections and execute commands, download malware, or perform other malicious actions while blending in with legitimate system processes. The specific impact depends on the attacker’s objective but can include data theft, system compromise, or deployment of ransomware.

Recommendation

• Ensure the Living off the Land (LotL) Attack Detection integration assets are installed and configured correctly, as detailed in the rule’s setup instructions.
• Deploy the detection logic from this brief by enabling the associated machine learning job combination (problem_child_high_sum_by_parent_ea) within Elastic Security.
• Investigate alerts generated by this rule by following the investigation steps outlined in the rule’s documentation. Pay close attention to the parent process name and the command-line arguments of the suspicious processes.
• Tune the anomaly threshold (anomaly_threshold = 75) to reduce false positives in your specific environment. Consider whitelisting known safe tools by creating exceptions for their parent process names.