IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity Suspicious Windows Process Cluster Spawned by a Host »

› ›

Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score

edit

Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score

edit

A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model’s blocklist identified the event as being malicious.

Rule type: eql

Rule indices:

endgame-*
logs-endpoint.events.process-*
winlogbeat-*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-10m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

OS: Windows
Data Source: Elastic Endgame
Use Case: Living off the Land Attack Detection
Rule Type: ML
Rule Type: Machine Learning
Tactic: Defense Evasion

Version: 2

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or
blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Masquerading
- ID: T1036
- Reference URL: https://attack.mitre.org/techniques/T1036/
Sub-technique:
- Name: Masquerade Task or Service
- ID: T1036.004
- Reference URL: https://attack.mitre.org/techniques/T1036/004/

« Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity Suspicious Windows Process Cluster Spawned by a Host »