Anomalous Windows Process Creation

edit

Identifies unusual parent-child process relationships that can indicate malware execution or persistence mechanisms. Malicious scripts often call on other applications and processes as part of their exploit payload. For example, when a malicious Office document runs scripts as part of an exploit payload, Excel or Word may start a script interpreter process, which, in turn, runs a script that downloads and executes malware. Another common scenario is Outlook running an unusual process when malware is downloaded in an email. Monitoring and identifying anomalous process relationships is a method of detecting new and emerging malware that is not yet recognized by anti-virus scanners.

Rule type: machine_learning

Machine learning job: v3_windows_anomalous_process_creation

Machine learning anomaly threshold: 50

Severity: low

Risk score: 21

Runs every: 15 minutes

Searches indices from: now-45m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • ML
  • Persistence

Version: 7 (version history)

Added (Elastic Stack release): 7.7.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

Users running scripts in the course of technical support operations of software upgrades could trigger this alert. A newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert. ==== Threat mapping

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 7 (8.4.0 release)
  • Formatting only
Version 6 (8.3.0 release)
  • Formatting only
Version 5 (7.14.0 release)
  • Formatting only
Version 4 (7.12.0 release)
  • Formatting only
Version 3 (7.10.0 release)
  • Formatting only
Version 2 (7.9.0 release)
  • Formatting only