heroui logo

Suspicious Windows Process Cluster Spawned by a User

Elastic Detection Rules

View Source
Summary
This rule identifies potentially malicious clusters of Windows processes based on machine learning analysis. It leverages dual ML techniques—supervised through the ProblemChild model to predict singular process risks and unsupervised to aggregate suspicious processes by common user accounts. A process is flagged if it scores a high likelihood of malice, particularly when combined with other processes from the same user. Clusters typically indicate advanced threats such as 'living off the land' scenarios where legitimate tools are exploited for malicious purposes, often maintaining stealth from traditional detection methods. The rule is designed to operate within the Elastic security ecosystem and necessitates the configuration of the LotL Attack Detection integration to run effectively. Investigations into alerts triggered by this rule should examine process relationships, examine user behavior, and correlate with threat intelligence to better understand potential attacks and reduce false positives from legitimate administrative activities.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Windows Registry
  • Logon Session
  • Network Traffic
ATT&CK Techniques
  • T1036
Created: 2023-10-16