Winlogbeat

A machine learning job combination has identified a user with one or more suspicious Windows processes exhibiting unusually high malicious probability scores, potentially involving LOLbins for defense evasion.

A machine learning job has identified a parent process spawning one or more suspicious Windows processes exhibiting unusually high malicious probability scores, indicating potential defense evasion tactics like masquerading and LOLBins usage.

A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, indicating potential masquerading tactics for defense evasion.

A machine learning job has detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be suspicious given its user context by an unsupervised ML model, indicating potential defense evasion activity involving LOLbins.

This rule detects unusual process spawned by a parent process, potentially indicating malicious activity involving LOLbins by leveraging machine learning to identify anomalous process creation patterns that evade conventional search rules.

A machine learning job detects unusual Windows processes, potentially Living off the Land binaries, on hosts not commonly associated with malicious activity, indicating possible defense evasion attempts.

Adversaries can leverage Windows Management Instrumentation (WMI) to establish persistence by creating event subscriptions that trigger malicious code execution when specific events occur, using tools like wmic.exe to create event consumers.