Unusual Process Spawned by a Host via Machine Learning

This detection rule uses a machine learning job named problem_child_rare_process_by_host_ea to identify suspicious Windows processes. It leverages the ProblemChild supervised ML model to identify processes that are both statistically unusual and potentially malicious, specifically those that may be Living off the Land binaries (LOLbins). The rule is designed to detect stealthy attacks that bypass traditional methods by focusing on processes spawned on hosts that do not commonly manifest malicious activity. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed and Windows process events collected by integrations such as Elastic Defend or Winlogbeat. The ML job considers process name, path, and command-line arguments in its analysis.

Attack Chain

1. Initial Access: An attacker gains initial access to a Windows host through various means, such as phishing or exploiting a vulnerability.
2. Execution: The attacker executes a LOLbin, such as cmd.exe, powershell.exe, or mshta.exe, to perform malicious actions.
3. Defense Evasion: The attacker uses the LOLbin to evade traditional signature-based detection methods, as these binaries are typically trusted system tools.
4. Persistence: The attacker may use the LOLbin to establish persistence on the system, such as creating a scheduled task or modifying registry keys.
5. Privilege Escalation: The attacker leverages the LOLbin to escalate privileges, potentially gaining SYSTEM-level access.
6. Credential Access: The attacker uses the LOLbin to access sensitive credentials stored on the system, such as through dumping LSASS memory.
7. Lateral Movement: The attacker uses the LOLbin to move laterally to other systems on the network, potentially compromising additional assets.
8. Impact: The attacker achieves their objectives, such as data exfiltration, system disruption, or ransomware deployment.

Impact

A successful attack using LOLbins can lead to significant damage, including data theft, system compromise, and financial loss. While this rule is rated as low severity, the techniques it detects can be part of more severe attack chains. Detecting these early stages can prevent more significant compromises. The use of LOLbins makes it difficult to attribute activity, complicating incident response.

Recommendation

• Enable the Living off the Land (LotL) Attack Detection integration, including the preconfigured anomaly detection jobs, as required by the rule setup instructions.
• Deploy the provided Sigma rule Detect Rare Process Execution to your SIEM and tune the thresholds based on your environment’s baseline activity.
• Investigate any alerts generated by the machine learning job problem_child_rare_process_by_host_ea, prioritizing those with higher anomaly scores.
• Correlate process activity with user logins and network connections to identify suspicious user behavior as described in the investigation guide.
• Review the false positive analysis steps to identify potential legitimate processes that may trigger the rule and create exceptions as necessary.