{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/use-case-living-off-the-land-attack-detection/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Defend","Winlogbeat","Windows Management Instrumentation (WMI)","PowerShell"],"_cs_severities":["low"],"_cs_tags":["Domain: Endpoint","OS: Windows","Use Case: Living off the Land Attack Detection","Rule Type: ML","Rule Type: Machine Learning","Tactic: Defense Evasion","Resources: Investigation Guide","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft"],"content_html":"\u003cp\u003eA machine learning job combination has flagged users with suspicious Windows processes exhibiting unusually high malicious probability scores. This detection leverages the ProblemChild supervised ML model to identify processes classified as malicious in several ways. Anomalies containing clusters of suspicious processes, each with the same username, have an aggregate score calculated to be unusually high by an unsupervised ML model. Such clusters often contain suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a LOLBin (Living Off The Land Binary) such as PowerShell or WMI to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe LOLBin spawns one or more child processes, creating a cluster of processes associated with the same user.\u003c/li\u003e\n\u003cli\u003eA supervised machine learning model, ProblemChild, identifies these processes as having a high probability of being malicious.\u003c/li\u003e\n\u003cli\u003eAn unsupervised machine learning model calculates an unusually high aggregate score for the event cluster.\u003c/li\u003e\n\u003cli\u003eThe detection triggers based on the combination of supervised and unsupervised ML scores.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the LOLBin for defense evasion, bypassing conventional search rule detections.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging LOLbins can lead to significant system compromise, including data theft, system disruption, and lateral movement within the network. While this detection has low severity, it identifies potential malicious activity that may be resistant to traditional detection methods. False positives from legitimate administrative tools and software updates may occur.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInstall and configure the Living off the Land (LotL) Attack Detection integration assets as outlined in the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eEnsure Windows process events are being collected by integrations such as Elastic Defend or Winlogbeat as described in the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview and tune the machine learning job identified by \u003ccode\u003emachine_learning_job_id: problem_child_high_sum_by_user_ea\u003c/code\u003e to minimize false positives, focusing on legitimate administrative tools like PowerShell and WMI.\u003c/li\u003e\n\u003cli\u003eImplement enhanced monitoring and detection rules to identify similar patterns of behavior, focusing on the specific tactics and techniques used in this incident.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by this rule using the \u003ca href=\"#note\"\u003einvestigation guide\u003c/a\u003e to determine the scope of the incident and any potential compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:08:39Z","date_published":"2026-05-15T18:08:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-windows-process/","summary":"A machine learning job combination has identified a user with one or more suspicious Windows processes exhibiting unusually high malicious probability scores, potentially involving LOLbins for defense evasion.","title":"User Detected with Suspicious Windows Process(es)","url":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-windows-process/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Elastic Defend","Winlogbeat"],"_cs_severities":["low"],"_cs_tags":["Use Case: Living off the Land Attack Detection","Rule Type: ML","Rule Type: Machine Learning","Tactic: Defense Evasion","Resources: Investigation Guide","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies hosts with suspicious Windows processes exhibiting unusually high malicious probability scores, leveraging machine learning to detect potential masquerading tactics for defense evasion. The rule utilizes a combination of supervised and unsupervised ML models to flag unusual process clusters on a single host, possibly involving LOLbins. This approach aims to identify activity that may be resistant to detection using conventional search rules. The rule relies on the \u0026lsquo;problem_child_high_sum_by_host_ea\u0026rsquo; machine learning job and requires a minimum Elastic Stack version of 9.4.0. The rule uses data ingested by the Elastic Defend or Winlogbeat integrations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through methods not specified in this source.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a legitimate Windows binary (LOLBin) such as cmd.exe, powershell.exe or certutil.exe.\u003c/li\u003e\n\u003cli\u003eThe LOLBin is used to execute a malicious command or script.\u003c/li\u003e\n\u003cli\u003eThe ProblemChild supervised ML model predicts that the process is malicious based on its behavior.\u003c/li\u003e\n\u003cli\u003eAn unsupervised ML model analyzes the aggregate score of the process cluster, identifying it as unusually high.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, flagging the host as having suspicious processes.\u003c/li\u003e\n\u003cli\u003eThe analyst reviews the alert and investigates the flagged processes.\u003c/li\u003e\n\u003cli\u003eThe attacker continues their actions on the compromised host, potentially leading to data exfiltration or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using LOLBins and masquerading techniques can allow an attacker to evade traditional detection methods and gain unauthorized access to sensitive systems and data. This can lead to data breaches, financial loss, and reputational damage. While the number of victims is unknown, the sectors targeted include any organization utilizing Windows systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration assets are installed, along with Windows process events collected by Elastic Defend or Winlogbeat, as required by the \u003ca href=\"#setup\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview the host name associated with the suspicious process cluster as described in the \u003ca href=\"#triage-and-analysis\"\u003einvestigation guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eExamine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins as described in the \u003ca href=\"#triage-and-analysis\"\u003einvestigation guide\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized or suspicious processes from executing, as mentioned in the \u003ca href=\"#response-and-remediation\"\u003eresponse and remediation steps\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T18:08:09Z","date_published":"2026-05-15T18:08:09Z","id":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-windows-processes/","summary":"A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit unusually high malicious probability scores, indicating potential masquerading tactics for defense evasion.","title":"Host Detected with Suspicious Windows Process(es)","url":"https://feed.craftedsignal.io/briefs/2026-05-suspicious-windows-processes/"}],"language":"en","title":"CraftedSignal Threat Feed — Use Case: Living Off the Land Attack Detection","version":"https://jsonfeed.org/version/1.1"}