{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-management-instrumentation-wmi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Defend","Winlogbeat","Windows Management Instrumentation (WMI)","PowerShell"],"_cs_severities":["low"],"_cs_tags":["Domain: Endpoint","OS: Windows","Use Case: Living off the Land Attack Detection","Rule Type: ML","Rule Type: Machine Learning","Tactic: Defense Evasion","Resources: Investigation Guide","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eA machine learning job combination has flagged users with suspicious Windows processes exhibiting unusually high malicious probability scores. This detection leverages the ProblemChild supervised ML model to identify processes classified as malicious in several ways. Anomalies containing clusters of suspicious processes, each with the same username, have an aggregate score calculated to be unusually high by an unsupervised ML model. Such clusters often contain suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a LOLBin (Living Off The Land Binary) such as PowerShell or WMI to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe LOLBin spawns one or more child processes, creating a cluster of processes associated with the same user.\u003c/li\u003e\n\u003cli\u003eA supervised machine learning model, ProblemChild, identifies these processes as having a high probability of being malicious.\u003c/li\u003e\n\u003cli\u003eAn unsupervised machine learning model calculates an unusually high aggregate score for the event cluster.\u003c/li\u003e\n\u003cli\u003eThe detection triggers based on the combination of supervised and unsupervised ML scores.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the LOLBin for defense evasion, bypassing conventional search rule detections.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging LOLbins can lead to significant system compromise, including data theft, system disruption, and lateral movement within the network. While this detection has low severity, it identifies potential malicious activity that may be resistant to traditional detection methods. False positives from legitimate administrative tools and software updates may occur.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall and configure the Living off the Land (LotL) Attack Detection integration assets as outlined in the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure Windows process events are being collected by integrations such as Elastic Defend or Winlogbeat as described in the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the machine learning job identified by \u003ccode\u003emachine_learning_job_id: problem_child_high_sum_by_user_ea\u003c/code\u003e to minimize false positives, focusing on legitimate administrative tools like PowerShell and WMI.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and detection rules to identify similar patterns of behavior, focusing on the specific tactics and techniques used in this incident.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by this rule using the \u003ca href=\"#note\"\u003einvestigation guide\u003c/a\u003e to determine the scope of the incident and any potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:08:39Z","date_published":"2026-05-15T18:08:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-windows-process/","summary":"A machine learning job combination has identified a user with one or more suspicious Windows processes exhibiting unusually high malicious probability scores, potentially involving LOLbins for defense evasion.","title":"User Detected with Suspicious Windows Process(es)","url":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-windows-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Management Instrumentation (WMI)","version":"https://jsonfeed.org/version/1.1"}