From 4ed6c7d5949ca86af9794ef7b4934b65e11b60ac Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Mon, 23 Oct 2023 12:23:56 -0400 Subject: [PATCH] [New Rule] Add Living-off-the-Land (LotL) ProblemChild Rules (#3193) * adding new LotL rules * added endpoint tags; updated technique mapping * added missing data source tag * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * updated note, references and date * changed ATT&CK technique to binary proxy execution --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit 835be9b2451c6568ad8d60fed43fa02b0df9e025) --- ...se_evasion_ml_rare_process_for_a_host.toml | 54 +++++++++++++++ ..._ml_rare_process_for_a_parent_process.toml | 56 ++++++++++++++++ ...se_evasion_ml_rare_process_for_a_user.toml | 57 ++++++++++++++++ ...e_evasion_ml_suspicious_windows_event.toml | 66 ++++++++++++++++++ ...icious_windows_event_high_probability.toml | 67 +++++++++++++++++++ ...ous_windows_process_cluster_from_host.toml | 56 ++++++++++++++++ ...s_process_cluster_from_parent_process.toml | 58 ++++++++++++++++ ...ous_windows_process_cluster_from_user.toml | 58 ++++++++++++++++ 8 files changed, 472 insertions(+) create mode 100644 rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml create mode 100644 rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml create mode 100644 rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml create mode 100644 rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml create mode 100644 rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml create mode 100644 rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml create mode 100644 rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml create mode 100644 rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml new file mode 100644 index 000000000..7701a2a8b --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml @@ -0,0 +1,54 @@ +[metadata] +creation_date = "2023/09/19" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/23" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a suspicious Windows process. This process has been classified as suspicious in two +ways. It was predicted to be suspicious by the ProblemChild supervised ML model, and it was found to be an unusual +process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious +or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_rare_process_by_host" +name = "Unusual Process Spawned by a Host" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "56004189-4e69-4a39-b4a9-195329d226e9" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1218" +name = "System Binary Proxy Execution" +reference = "https://attack.mitre.org/techniques/T1218/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml new file mode 100644 index 000000000..7a6af8781 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/23" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two +ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child +process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or +malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_rare_process_by_parent" +name = "Unusual Process Spawned by a Parent Process" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml new file mode 100644 index 000000000..fc3085911 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/23" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two +ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given +that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a +process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to +detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_rare_process_by_user" +name = "Unusual Process Spawned by a User" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml new file mode 100644 index 000000000..801f18442 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event.toml @@ -0,0 +1,66 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild","endpoint"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +author = ["Elastic"] +description = """ +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high +probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being +malicious. +""" +from = "now-10m" +index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] +language = "eql" +license = "Elastic License v2" +name = "Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad" +severity = "low" +tags = [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where (problemchild.prediction == 1 or blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml new file mode 100644 index 000000000..4adb1946e --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml @@ -0,0 +1,67 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild","endpoint"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/23" + +[rule] +author = ["Elastic"] +description = """ +A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high +probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being +malicious. +""" +from = "now-10m" +index = ["endgame-*", "logs-endpoint.events.process-*", "winlogbeat-*"] +language = "eql" +license = "Elastic License v2" +name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "994e40aa-8c85-43de-825e-15f665375ee8" +severity = "low" +tags = [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or +blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.004" +name = "Masquerade Task or Service" +reference = "https://attack.mitre.org/techniques/T1036/004/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml new file mode 100644 index 000000000..38ec615d9 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high +scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) +were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious +processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be +unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly +involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_high_sum_by_host" +name = "Suspicious Windows Process Cluster Spawned by a Host" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3" +severity = "low" +tags = [ + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml new file mode 100644 index 000000000..2e4c7417e --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high +scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) +were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious +processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to +be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly +involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_high_sum_by_parent" +name = "Suspicious Windows Process Cluster Spawned by a Parent Process" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "f5d9d36d-7c30-4cdb-a856-9f653c13d4e0" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml new file mode 100644 index 000000000..1bc663132 --- /dev/null +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2023/10/16" +integration = ["problemchild"] +maturity = "production" +min_stack_comments = "LotL package job ID and rule removal updates" +min_stack_version = "8.9.0" +updated_date = "2023/10/16" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high +scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) +were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious +processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be +unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly +involving LOLbins, that may be resistant to detection using conventional search rules. +""" +from = "now-45m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "problem_child_high_sum_by_user" +name = "Suspicious Windows Process Cluster Spawned by a User" +note = """## Setup + +The Living-off-the-Land (LotL) Detection integration must be enabled and related ML jobs configured for this rule to be effective. Please refer to this rule's references for more information. +""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/problemchild", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration" +] +risk_score = 21 +rule_id = "1224da6c-0326-4b4f-8454-68cdc5ae542b" +severity = "low" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Living off the Land Attack Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Defense Evasion", +] +type = "machine_learning" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +