User Detected with Suspicious Windows Process(es)

hello@craftedsignal.io — Fri, 15 May 2026 18:08:39 +0000

A machine learning job combination has flagged users with suspicious Windows processes exhibiting unusually high malicious probability scores. This detection leverages the ProblemChild supervised ML model to identify processes classified as malicious in several ways. Anomalies containing clusters of suspicious processes, each with the same username, have an aggregate score calculated to be unusually high by an unsupervised ML model. Such clusters often contain suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.

Attack Chain

An attacker gains initial access to a Windows system.
The attacker uses a LOLBin (Living Off The Land Binary) such as PowerShell or WMI to execute malicious commands.
The LOLBin spawns one or more child processes, creating a cluster of processes associated with the same user.
A supervised machine learning model, ProblemChild, identifies these processes as having a high probability of being malicious.
An unsupervised machine learning model calculates an unusually high aggregate score for the event cluster.
The detection triggers based on the combination of supervised and unsupervised ML scores.
The attacker leverages the LOLBin for defense evasion, bypassing conventional search rule detections.
The attacker achieves their objective, such as lateral movement or data exfiltration.

Impact

A successful attack leveraging LOLbins can lead to significant system compromise, including data theft, system disruption, and lateral movement within the network. While this detection has low severity, it identifies potential malicious activity that may be resistant to traditional detection methods. False positives from legitimate administrative tools and software updates may occur.

Recommendation

Install and configure the Living off the Land (LotL) Attack Detection integration assets as outlined in the setup instructions.
Ensure Windows process events are being collected by integrations such as Elastic Defend or Winlogbeat as described in the setup instructions.
Review and tune the machine learning job identified by machine_learning_job_id: problem_child_high_sum_by_user_ea to minimize false positives, focusing on legitimate administrative tools like PowerShell and WMI.
Implement enhanced monitoring and detection rules to identify similar patterns of behavior, focusing on the specific tactics and techniques used in this incident.
Investigate alerts generated by this rule using the investigation guide to determine the scope of the incident and any potential compromise.

Host Detected with Suspicious Windows Process(es)

hello@craftedsignal.io — Fri, 15 May 2026 18:08:09 +0000

This detection identifies hosts with suspicious Windows processes exhibiting unusually high malicious probability scores, leveraging machine learning to detect potential masquerading tactics for defense evasion. The rule utilizes a combination of supervised and unsupervised ML models to flag unusual process clusters on a single host, possibly involving LOLbins. This approach aims to identify activity that may be resistant to detection using conventional search rules. The rule relies on the ‘problem_child_high_sum_by_host_ea’ machine learning job and requires a minimum Elastic Stack version of 9.4.0. The rule uses data ingested by the Elastic Defend or Winlogbeat integrations.

Attack Chain

Initial access is achieved through methods not specified in this source.
The attacker executes a legitimate Windows binary (LOLBin) such as cmd.exe, powershell.exe or certutil.exe.
The LOLBin is used to execute a malicious command or script.
The ProblemChild supervised ML model predicts that the process is malicious based on its behavior.
An unsupervised ML model analyzes the aggregate score of the process cluster, identifying it as unusually high.
The detection rule triggers, flagging the host as having suspicious processes.
The analyst reviews the alert and investigates the flagged processes.
The attacker continues their actions on the compromised host, potentially leading to data exfiltration or other malicious activities.

Impact

A successful attack using LOLBins and masquerading techniques can allow an attacker to evade traditional detection methods and gain unauthorized access to sensitive systems and data. This can lead to data breaches, financial loss, and reputational damage. While the number of victims is unknown, the sectors targeted include any organization utilizing Windows systems.

Recommendation

Ensure the Living off the Land (LotL) Attack Detection integration assets are installed, along with Windows process events collected by Elastic Defend or Winlogbeat, as required by the setup instructions.
Review the host name associated with the suspicious process cluster as described in the investigation guide.
Examine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins as described in the investigation guide.
Implement application whitelisting to prevent unauthorized or suspicious processes from executing, as mentioned in the response and remediation steps.

Use Case: Living Off the Land Attack Detection — CraftedSignal Threat Feed

User Detected with Suspicious Windows Process(es)

Attack Chain

Impact

Recommendation

Host Detected with Suspicious Windows Process(es)

Attack Chain

Impact

Recommendation