This machine learning detection rule identifies potentially malicious Windows processes using anomaly detection techniques. It employs two models: the ProblemChild supervised ML model, which predicts malicious characteristics, and an unsupervised ML model that tags the child process names that are unusually linked to their parent processes. Such behavior may indicate the use of Living Off the Land (LOL) binaries—legitimate tools exploited by attackers to carry out malicious activities undetected by standard detection methods. The rule is designed to trigger alerts when these conditions are met, allowing investigators to take action before the threat can propagate or cause damage. To use this rule effectively, it requires the installation of the LotL Attack Detection integration, which involves collecting Windows process events through Elastic Defend or Winlogbeat. The rule emphasizes checking for known legitimate and rogue application behavior, analyzing command line arguments, and examining network traffic associated with suspicious processes. Investigators should remain vigilant for false positives from routine administrative actions and have a clear response plan for potential threats detected.