From 597c41e9246d48e563f63f95fc3622b069c2da36 Mon Sep 17 00:00:00 2001 From: Kirti Kirti Date: Wed, 19 Mar 2025 13:20:53 -0400 Subject: [PATCH 1/2] Changed description and name of problemchild ML detection-rules --- ...n_ml_suspicious_windows_process_cluster_from_host.toml | 8 ++++---- ...cious_windows_process_cluster_from_parent_process.toml | 8 ++++---- ...n_ml_suspicious_windows_process_cluster_from_user.toml | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 047992ae1be..407e41f065b 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/19" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -10,8 +10,8 @@ min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high -scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) +A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit +unusually high malicious probability scores.These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly @@ -21,7 +21,7 @@ from = "now-45m" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_host" -name = "Suspicious Windows Process Cluster Spawned by a Host" +name = "Host Detected with Suspicious Windows Process(es)" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 91dda3e569e..45c13c692ec 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/19" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -10,8 +10,8 @@ min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high -scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) +A machine learning job combination has identified a parent process with one or more suspicious Windows processes that exhibit +unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly @@ -21,7 +21,7 @@ from = "now-45m" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_parent" -name = "Suspicious Windows Process Cluster Spawned by a Parent Process" +name = "Parent Process Detected with Suspicious Windows Process(es)" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index bb2d33f43f8..ce5a247b619 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -2,7 +2,7 @@ creation_date = "2023/10/16" integration = ["problemchild", "endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/03/19" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -10,8 +10,8 @@ min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high -scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) +A machine learning job combination has identified a user with one or more suspicious Windows processes that exhibit +unusually high malicious probability scores. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly @@ -21,7 +21,7 @@ from = "now-45m" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "problem_child_high_sum_by_user" -name = "Suspicious Windows Process Cluster Spawned by a User" +name = "User Detected with Suspicious Windows Process(es)" references = [ "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", "https://docs.elastic.co/en/integrations/problemchild", From 377140709563f791af4f8efb308c7de3deb075c5 Mon Sep 17 00:00:00 2001 From: Kirti Kirti Date: Thu, 20 Mar 2025 08:47:29 -0400 Subject: [PATCH 2/2] updated rule name in investigation guide --- ...evasion_ml_suspicious_windows_process_cluster_from_host.toml | 2 +- ..._suspicious_windows_process_cluster_from_parent_process.toml | 2 +- ...evasion_ml_suspicious_windows_process_cluster_from_user.toml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml index 407e41f065b..831a135efa2 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml @@ -63,7 +63,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Suspicious Windows Process Cluster Spawned by a Host +### Investigating Host Detected with Suspicious Windows Process(es) The detection leverages machine learning to identify clusters of Windows processes with high malicious probability scores. Adversaries exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion. diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml index 45c13c692ec..8216d5e7363 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml @@ -65,7 +65,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Suspicious Windows Process Cluster Spawned by a Parent Process +### Investigating Parent Process Detected with Suspicious Windows Process(es) In Windows environments, processes are often spawned by parent processes, forming a hierarchy. Adversaries exploit this by using legitimate processes to launch malicious ones, often leveraging Living off the Land Binaries (LOLBins) to evade detection. The detection rule employs machine learning to identify clusters of processes with high malicious probability, focusing on those sharing a common parent process. This approach helps uncover stealthy attacks that traditional methods might miss, enhancing defense against tactics like masquerading. diff --git a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml index ce5a247b619..64d44f49770 100644 --- a/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml +++ b/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml @@ -65,7 +65,7 @@ note = """## Triage and analysis > **Disclaimer**: > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. -### Investigating Suspicious Windows Process Cluster Spawned by a User +### Investigating User Detected with Suspicious Windows Process(es) The detection leverages machine learning to identify clusters of Windows processes with high malicious probability, often linked to tactics like masquerading. Adversaries exploit legitimate tools (LOLBins) to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters, focusing on user-associated anomalies to uncover potential threats.