{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lolbins/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","lolbins","windows","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert originates from an Elastic machine learning job named \u003ccode\u003eproblem_child_rare_process_by_parent_ea\u003c/code\u003e designed to detect Living off the Land (LotL) attacks on Windows systems. The model identifies processes spawned by parent processes that are statistically rare and have a high probability of being malicious based on the \u0026ldquo;ProblemChild\u0026rdquo; supervised learning model. This approach aims to uncover malicious activities that utilize legitimate system binaries (LOLbins) for nefarious purposes, effectively bypassing traditional signature-based detections. The alert relies on Windows process events collected by Elastic Defend or Winlogbeat with the LotL Attack Detection integration. This detection method becomes particularly important as attackers increasingly rely on existing tools to blend in with normal system activity and avoid raising suspicion.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access via unspecified means (e.g., phishing, compromised credentials).\u003c/li\u003e\n\u003cli\u003eAttacker leverages a legitimate system binary (LOLbin) such as \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLbin is used to execute a malicious payload or script.\u003c/li\u003e\n\u003cli\u003eThe malicious process is spawned as a child process of the LOLbin.\u003c/li\u003e\n\u003cli\u003eElastic\u0026rsquo;s machine learning model identifies the child process as rare and potentially malicious based on its parent-child relationship and other features.\u003c/li\u003e\n\u003cli\u003eThe rare process executes malicious commands, possibly downloading further payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack utilizing LOLbins can lead to significant compromise, including data theft, system disruption, and further propagation within the network. The reliance on trusted system binaries makes these attacks difficult to detect with traditional methods, potentially allowing attackers to operate undetected for extended periods. The impact is directly correlated to the privileges of the initial compromised account and the effectiveness of lateral movement techniques employed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, as described in the rule\u0026rsquo;s \u003ccode\u003esetup\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eReview the parent and child process names identified in the alert to determine if they are legitimate applications or associated with LOLbins, as detailed in the investigation guide within the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eInvestigate the command-line arguments used by the suspicious process for potentially malicious commands or scripts as described in the rule \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e setting in the machine learning job configuration based on your environment\u0026rsquo;s baseline activity to reduce false positives, as described in the rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement exceptions for legitimate administrative tools and software updates to reduce false positives, as mentioned in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"/briefs/2024-01-unusual-process-spawn/","summary":"A machine learning job detected a suspicious Windows process, predicted malicious by the ProblemChild model and flagged as an unusual child process name for its parent, potentially indicating LOLbins usage and evading traditional detection.","title":"Unusual Process Spawned by a Parent Process via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-unusual-process-spawn/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","masquerading","LOLbins","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies suspicious Windows processes exhibiting high malicious probability scores. The rule leverages machine learning to detect clusters of processes that may be indicative of defense evasion tactics, such as masquerading or the use of LOLbins (Living Off The Land Binaries). Specifically, a supervised ML model (ProblemChild) predicts whether a process is malicious, and an unsupervised ML model assesses the aggregate score of process clusters on a single host. The rule focuses on identifying unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. It was last updated on 2026/04/01 and requires Elastic Stack version 9.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the Windows host through various methods, such as exploiting vulnerabilities or using compromised credentials (not detailed in source).\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a LOLBin (e.g., PowerShell, cmd.exe, mshta.exe) on the compromised host.\u003c/li\u003e\n\u003cli\u003eMasquerading: The attacker attempts to masquerade the malicious activity by naming or placing the LOLBin within a legitimate system folder.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker utilizes the LOLBin with specific command-line arguments designed to evade detection by traditional signature-based security solutions.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker may attempt to escalate privileges using further LOLBINS or other techniques.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker may use the compromised host to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eCommand and Control (Optional): The attacker may establish command and control (C2) communication with an external server to receive further instructions.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or system disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to various negative impacts, including data breaches, financial loss, and reputational damage. The rule is assigned a low severity, due to it likely being a supplemental detection to other rules. Lateral movement and exfiltration can also be accomplished. There is no information available on the number of victims and specific sectors targeted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, to collect Windows process events as outlined in the \u003ca href=\"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts as suggested in the investigation guide.\u003c/li\u003e\n\u003cli\u003eExamine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading, per the investigation guide.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized or suspicious processes from executing in the future, as advised in the remediation steps.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold of the machine learning job (\u003ccode\u003eproblem_child_high_sum_by_host_ea\u003c/code\u003e) to reduce false positives based on your environment\u0026rsquo;s specific characteristics and activity patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-suspicious-windows-process/","summary":"A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, potentially indicating masquerading and defense evasion tactics.","title":"Suspicious Windows Process Cluster Detection via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-windows-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["endpoint","windows","defense evasion","machine learning","lolbins"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA machine learning (ML) rule has identified unusual process execution on a Windows endpoint. This detection leverages two ML models from the Elastic ProblemChild integration: a supervised model that predicts malicious processes and an unsupervised model that identifies processes anomalous to the user\u0026rsquo;s typical behavior. The rule focuses on detecting defense evasion tactics, specifically the potential use of Living-off-the-Land Binaries (LOLbins) or masquerading techniques, which can be difficult to detect with traditional signature-based methods. This detection uses data from the Elastic Endpoint or Winlogbeat and requires the Living off the Land (LotL) Attack Detection integration assets to be installed. This rule was last updated April 1, 2026 and requires Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access through an existing user account.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes a standard Windows process (e.g., cmd.exe, powershell.exe).\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker leverages LOLbins to perform malicious actions, blending in with legitimate system activity.\u003c/li\u003e\n\u003cli\u003eMasquerading: The attacker renames or moves malicious tools to mimic legitimate system files.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation (Optional): The attacker attempts to escalate privileges using the compromised process.\u003c/li\u003e\n\u003cli\u003eLateral Movement (Optional): The attacker uses the compromised process to move laterally to other systems.\u003c/li\u003e\n\u003cli\u003eCommand and Control (Optional): The process establishes a connection to a command and control server for further instructions.\u003c/li\u003e\n\u003cli\u003eImpact: The attacker achieves their objective, such as data exfiltration, system compromise, or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using these techniques can lead to a full system compromise, data theft, or the installation of persistent backdoors. The use of LOLbins makes detection difficult, potentially allowing attackers to operate undetected for extended periods. The impact is amplified by the potential for lateral movement to other systems within the network. While the severity is rated \u0026ldquo;low\u0026rdquo;, successful exploitation allows attackers to move laterally and establish persistence in the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as detailed in the rule setup (Elastic Defend or Winlogbeat).\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the \u0026ldquo;Unusual Process Spawned by a User\u0026rdquo; rule (rule_id: 40155ee4-1e6a-4e4d-a63b-e8ba16980cfb) to determine the legitimacy of the flagged process.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (anomaly_threshold: 75) based on your environment to reduce false positives, as mentioned in the rule parameters.\u003c/li\u003e\n\u003cli\u003eReview the \u0026ldquo;False positive analysis\u0026rdquo; section in the rule\u0026rsquo;s note for guidance on identifying and excluding legitimate processes.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect unusual command line arguments associated with LOLBins.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-rare-process-user/","summary":"A machine learning job detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be unusual within the user's context, potentially indicating defense evasion techniques like masquerading or the use of LOLbins.","title":"Unusual Process Spawned by a User Detected by Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-rare-process-user/"}],"language":"en","title":"CraftedSignal Threat Feed — LOLbins","version":"https://jsonfeed.org/version/1.1"}