This detection rule leverages machine learning techniques to identify potentially malicious Windows processes spawned by unusual user behavior. Specifically, it combines both supervised and unsupervised machine learning models to flag processes that deviate from established user norms, which may indicate that legitimate tools, often referred to as Living Off the Land (LOLbins), are being exploited by adversaries to carry out malicious activities. The rule is designed to detect these anomalies based on abnormal user context and behavior, using a threshold score of 75 to assess the risk associated with detected activities. The rule requires integration with the Living off the Land Attack Detection assets and the collection of Windows process events through integrations like Elastic Defend or Winlogbeat. It is particularly important as it addresses the evolving landscape of cyber threats, allowing organizations to be alerted to suspicious activities that may be missed by traditional detection methods.