heroui logo

Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score

Elastic Detection Rules

View Source
Summary
This rule utilizes a supervised machine learning model called ProblemChild to detect suspicious Windows process events that exhibit a low probability of malicious activity. The detection mechanism operates by evaluating process events from sources such as Elastic Defend and Winlogbeat, particularly focusing on processes that the model has flagged. Events detected are categorized based on two conditions: if the ProblemChild's prediction indicates potential malicious behavior (prediction == 1) with a prediction probability of 0.98 or lower, or if the event is listed on a blocklist indicating known malicious activity. The rule specifically filters out certain benign command-line arguments associated with Nessus scan results to reduce false positives. Investigators are guided through a triage process that emphasizes analyzing flagged processes, reviewing their command-line parameters for anomalies, and correlating events with overall system activities to check for patterns of defense evasion. Additional emphasis is placed on handling potential false positives by documenting and whitelisting legitimate applications that might mimic malicious behavior as well as regularly updating exclusion rules to reflect current environments. The response section outlines procedural steps to remediate identified threats, including system isolation, process termination, and further analysis of system logs to identify broader attack patterns.
Categories
  • Windows
  • Endpoint
  • Application
  • Identity Management
Data Sources
  • Process
  • Logon Session
  • User Account
  • Network Traffic
ATT&CK Techniques
  • T1036
  • T1036.004
Created: 2023-10-16