[New Rule] Add Living-off-the-Land (LotL) ProblemChild Rules (#3193)
* adding new LotL rules
* added endpoint tags; updated technique mapping
* added missing data source tag
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* updated note, references and date
* changed ATT&CK technique to binary proxy execution
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
(cherry picked from commit 835be9b245)
This commit is contained in:
Terrance DeJesus
committed by
github-actions[bot]
github-actions[bot]
parent
ab55bc399d
commit
4ed6c7d594
@@ -0,0 +1,54 @@
|
||||
[metadata]
|
||||
creation_date = "2023/09/19"
|
||||
integration = ["problemchild"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "LotL package job ID and rule removal updates"
|
||||
min_stack_version = "8.9.0"
|
||||
updated_date = "2023/10/23"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two
|
||||
ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual
|
||||
process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious
|
||||
or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
|
||||
"""
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "problem_child_rare_process_by_host"
|
||||
name = "Unusual Process Spawned by a Host"
|
||||
note = """## Setup
|
||||
|
||||
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
||||
"https://docs.elastic.co/en/integrations/problemchild",
|
||||
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "56004189-4e69-4a39-b4a9-195329d226e9"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Windows",
|
||||
"Use Case: Living off the Land Attack Detection",
|
||||
"Rule Type: ML",
|
||||
"Rule Type: Machine Learning",
|
||||
"Tactic: Defense Evasion",
|
||||
]
|
||||
type = "machine_learning"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1218"
|
||||
name = "System Binary Proxy Execution"
|
||||
reference = "https://attack.mitre.org/techniques/T1218/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
+56
@@ -0,0 +1,56 @@
|
||||
[metadata]
|
||||
creation_date = "2023/10/16"
|
||||
integration = ["problemchild"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "LotL package job ID and rule removal updates"
|
||||
min_stack_version = "8.9.0"
|
||||
updated_date = "2023/10/23"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two
|
||||
ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child
|
||||
process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or
|
||||
malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
|
||||
"""
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "problem_child_rare_process_by_parent"
|
||||
name = "Unusual Process Spawned by a Parent Process"
|
||||
note = """## Setup
|
||||
|
||||
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
||||
"https://docs.elastic.co/en/integrations/problemchild",
|
||||
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Windows",
|
||||
"Use Case: Living off the Land Attack Detection",
|
||||
"Rule Type: ML",
|
||||
"Rule Type: Machine Learning",
|
||||
"Tactic: Defense Evasion",
|
||||
]
|
||||
type = "machine_learning"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1036"
|
||||
name = "Masquerading"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
@@ -0,0 +1,57 @@
|
||||
[metadata]
|
||||
creation_date = "2023/10/16"
|
||||
integration = ["problemchild"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "LotL package job ID and rule removal updates"
|
||||
min_stack_version = "8.9.0"
|
||||
updated_date = "2023/10/23"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two
|
||||
ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given
|
||||
that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a
|
||||
process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to
|
||||
detection using conventional search rules.
|
||||
"""
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "problem_child_rare_process_by_user"
|
||||
name = "Unusual Process Spawned by a User"
|
||||
note = """## Setup
|
||||
|
||||
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
||||
"https://docs.elastic.co/en/integrations/problemchild",
|
||||
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Windows",
|
||||
"Use Case: Living off the Land Attack Detection",
|
||||
"Rule Type: ML",
|
||||
"Rule Type: Machine Learning",
|
||||
"Tactic: Defense Evasion",
|
||||
]
|
||||
type = "machine_learning"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1036"
|
||||
name = "Masquerading"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
@@ -0,0 +1,66 @@
|
||||
[metadata]
|
||||
creation_date = "2023/10/16"
|
||||
integration = ["problemchild","endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "LotL package job ID and rule removal updates"
|
||||
min_stack_version = "8.9.0"
|
||||
updated_date = "2023/10/16"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high
|
||||
probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being
|
||||
malicious.
|
||||
"""
|
||||
from = "now-10m"
|
||||
index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity"
|
||||
note = """## Setup
|
||||
|
||||
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
||||
"https://docs.elastic.co/en/integrations/problemchild",
|
||||
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"OS: Windows",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Use Case: Living off the Land Attack Detection",
|
||||
"Rule Type: ML",
|
||||
"Rule Type: Machine Learning",
|
||||
"Tactic: Defense Evasion",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1036"
|
||||
name = "Masquerading"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1036.004"
|
||||
name = "Masquerade Task or Service"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
+67
@@ -0,0 +1,67 @@
|
||||
[metadata]
|
||||
creation_date = "2023/10/16"
|
||||
integration = ["problemchild","endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "LotL package job ID and rule removal updates"
|
||||
min_stack_version = "8.9.0"
|
||||
updated_date = "2023/10/23"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high
|
||||
probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being
|
||||
malicious.
|
||||
"""
|
||||
from = "now-10m"
|
||||
index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score"
|
||||
note = """## Setup
|
||||
|
||||
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
||||
"https://docs.elastic.co/en/integrations/problemchild",
|
||||
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "994e40aa-8c85-43de-825e-15f665375ee8"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"OS: Windows",
|
||||
"Data Source: Elastic Endgame",
|
||||
"Use Case: Living off the Land Attack Detection",
|
||||
"Rule Type: ML",
|
||||
"Rule Type: Machine Learning",
|
||||
"Tactic: Defense Evasion",
|
||||
]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or
|
||||
blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1036"
|
||||
name = "Masquerading"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1036.004"
|
||||
name = "Masquerade Task or Service"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/004/"
|
||||
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
+56
@@ -0,0 +1,56 @@
|
||||
[metadata]
|
||||
creation_date = "2023/10/16"
|
||||
integration = ["problemchild"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "LotL package job ID and rule removal updates"
|
||||
min_stack_version = "8.9.0"
|
||||
updated_date = "2023/10/16"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high
|
||||
scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es)
|
||||
were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious
|
||||
processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be
|
||||
unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly
|
||||
involving LOLbins, that may be resistant to detection using conventional search rules.
|
||||
"""
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "problem_child_high_sum_by_host"
|
||||
name = "Suspicious Windows Process Cluster Spawned by a Host"
|
||||
note = """## Setup
|
||||
|
||||
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
||||
"https://docs.elastic.co/en/integrations/problemchild",
|
||||
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Use Case: Living off the Land Attack Detection",
|
||||
"Rule Type: ML",
|
||||
"Rule Type: Machine Learning",
|
||||
"Tactic: Defense Evasion",
|
||||
]
|
||||
type = "machine_learning"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1036"
|
||||
name = "Masquerading"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
+58
@@ -0,0 +1,58 @@
|
||||
[metadata]
|
||||
creation_date = "2023/10/16"
|
||||
integration = ["problemchild"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "LotL package job ID and rule removal updates"
|
||||
min_stack_version = "8.9.0"
|
||||
updated_date = "2023/10/16"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high
|
||||
scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es)
|
||||
were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious
|
||||
processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to
|
||||
be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly
|
||||
involving LOLbins, that may be resistant to detection using conventional search rules.
|
||||
"""
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "problem_child_high_sum_by_parent"
|
||||
name = "Suspicious Windows Process Cluster Spawned by a Parent Process"
|
||||
note = """## Setup
|
||||
|
||||
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
||||
"https://docs.elastic.co/en/integrations/problemchild",
|
||||
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Windows",
|
||||
"Use Case: Living off the Land Attack Detection",
|
||||
"Rule Type: ML",
|
||||
"Rule Type: Machine Learning",
|
||||
"Tactic: Defense Evasion",
|
||||
]
|
||||
type = "machine_learning"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1036"
|
||||
name = "Masquerading"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
+58
@@ -0,0 +1,58 @@
|
||||
[metadata]
|
||||
creation_date = "2023/10/16"
|
||||
integration = ["problemchild"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "LotL package job ID and rule removal updates"
|
||||
min_stack_version = "8.9.0"
|
||||
updated_date = "2023/10/16"
|
||||
|
||||
[rule]
|
||||
anomaly_threshold = 75
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high
|
||||
scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es)
|
||||
were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious
|
||||
processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be
|
||||
unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly
|
||||
involving LOLbins, that may be resistant to detection using conventional search rules.
|
||||
"""
|
||||
from = "now-45m"
|
||||
interval = "15m"
|
||||
license = "Elastic License v2"
|
||||
machine_learning_job_id = "problem_child_high_sum_by_user"
|
||||
name = "Suspicious Windows Process Cluster Spawned by a User"
|
||||
note = """## Setup
|
||||
|
||||
The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information.
|
||||
"""
|
||||
references = [
|
||||
"https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
|
||||
"https://docs.elastic.co/en/integrations/problemchild",
|
||||
"https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"
|
||||
]
|
||||
risk_score = 21
|
||||
rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b"
|
||||
severity = "low"
|
||||
tags = [
|
||||
"Domain: Endpoint",
|
||||
"OS: Windows",
|
||||
"Use Case: Living off the Land Attack Detection",
|
||||
"Rule Type: ML",
|
||||
"Rule Type: Machine Learning",
|
||||
"Tactic: Defense Evasion",
|
||||
]
|
||||
type = "machine_learning"
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1036"
|
||||
name = "Masquerading"
|
||||
reference = "https://attack.mitre.org/techniques/T1036/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0005"
|
||||
name = "Defense Evasion"
|
||||
reference = "https://attack.mitre.org/tactics/TA0005/"
|
||||
|
||||
Reference in New Issue
Block a user