nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_parent_process.toml

@@ -0,0 +1,107 @@
+[metadata]
+creation_date = "2023/10/16"
+integration = ["problemchild", "endpoint", "windows"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two
+ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child
+process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or
+malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
+"""
+from = "now-45m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "problem_child_rare_process_by_parent"
+name = "Unusual Process Spawned by a Parent Process"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Unusual Process Spawned by a Parent Process
+
+In Windows environments, processes are often spawned by parent processes to perform legitimate tasks. However, adversaries can exploit this by using legitimate tools, known as LOLbins, to execute malicious activities stealthily. The detection rule leverages machine learning to identify anomalies in process creation patterns, flagging processes that deviate from typical behavior, thus uncovering potential threats that evade traditional detection methods.
+
+### Possible investigation steps
+
+- Review the parent process and child process names to determine if they are known legitimate applications or if they are commonly associated with LOLbins or other malicious activities.
+- Check the process creation time and correlate it with any known user activity or scheduled tasks to identify if the process execution aligns with expected behavior.
+- Investigate the command line arguments used by the suspicious process to identify any unusual or potentially malicious commands or scripts being executed.
+- Analyze the network activity associated with the process to detect any suspicious outbound connections or data exfiltration attempts.
+- Examine the file path and hash of the executable to verify its legitimacy and check against known malware databases or threat intelligence sources.
+- Review any recent changes to the system, such as software installations or updates, that might explain the unusual process behavior.
+- Consult endpoint detection and response (EDR) logs or other security tools to gather additional context and evidence related to the process and its activities.
+
+### False positive analysis
+
+- Legitimate administrative tools like PowerShell or command prompt may be flagged when used for routine tasks. Users can create exceptions for these tools when executed by known and trusted parent processes.
+- Software updates or installations often spawn processes that might appear unusual. Exclude these processes by identifying their typical parent-child relationships during updates.
+- Custom scripts or automation tools used within the organization might trigger alerts. Document these scripts and their expected behavior to create exceptions for them.
+- Frequent use of remote management tools can lead to false positives. Ensure these tools are whitelisted when used by authorized personnel.
+- Regularly review and update the list of exceptions to accommodate changes in legitimate process behaviors over time.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
+- Terminate the suspicious process identified by the alert to stop any ongoing malicious actions.
+- Conduct a thorough analysis of the process and its parent to understand the scope of the compromise and identify any additional malicious activities or files.
+- Remove any malicious files or artifacts associated with the process from the system to ensure complete remediation.
+- Restore the system from a known good backup if the integrity of the system is compromised beyond repair.
+- Update and patch the system to close any vulnerabilities that may have been exploited by the adversary.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "ea09ff26-3902-4c53-bb8e-24b7a5d029dd"
+setup = """## Setup
+
+The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
+
+### LotL Attack Detection Setup
+The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
+
+#### Prerequisite Requirements:
+- Fleet is required for LotL Attack Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
+
+#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Living off the Land Attack Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_user.toml

@@ -0,0 +1,107 @@
+[metadata]
+creation_date = "2023/10/16"
+integration = ["problemchild", "endpoint", "windows"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two
+ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given
+that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a
+process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to
+detection using conventional search rules.
+"""
+from = "now-45m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "problem_child_rare_process_by_user"
+name = "Unusual Process Spawned by a User"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Unusual Process Spawned by a User
+
+The detection of unusual processes spawned by users leverages machine learning to identify anomalies in user behavior and process execution. Adversaries often exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag processes that deviate from typical user activity, indicating potential misuse or masquerading tactics.
+
+### Possible investigation steps
+
+- Review the user context associated with the alert to determine if the user has a history of spawning unusual processes or if this is an isolated incident.
+- Examine the specific process flagged by the alert, including its command line arguments, parent process, and any associated network activity, to identify potential indicators of compromise.
+- Check for the presence of known LOLbins or other legitimate tools that may have been exploited, as indicated by the alert's focus on defense evasion tactics.
+- Investigate any recent changes in the user's behavior or system configuration that could explain the anomaly, such as software updates or new application installations.
+- Correlate the alert with other security events or logs from the same timeframe to identify any related suspicious activities or patterns.
+- Assess the risk score and severity level in the context of the organization's threat landscape to prioritize the response and determine if further action is needed.
+
+### False positive analysis
+
+- Legitimate administrative tools may trigger false positives if they are used in atypical contexts. Users should review the context of the process execution and, if deemed safe, add these tools to an exception list to prevent future alerts.
+- Scheduled tasks or scripts that run infrequently might be flagged as unusual. Verify the legitimacy of these tasks and consider excluding them if they are part of regular maintenance or updates.
+- Software updates or installations can spawn processes that appear anomalous. Confirm the source and purpose of these updates, and if they are routine, create exceptions for these specific processes.
+- Developers or IT personnel using command-line tools for legitimate purposes may trigger alerts. Evaluate the necessity of these tools in their workflow and whitelist them if they are consistently used in a non-malicious manner.
+- New or infrequently used applications might be flagged due to lack of historical data. Assess the application's legitimacy and, if appropriate, add it to a list of known safe applications to reduce false positives.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
+- Terminate the suspicious process identified by the alert to halt any ongoing malicious activity.
+- Conduct a thorough review of the user's recent activity and access logs to identify any unauthorized actions or data access.
+- Reset the credentials of the affected user account to prevent further unauthorized access, ensuring that strong, unique passwords are used.
+- Scan the system for additional indicators of compromise, such as other unusual processes or modifications to system files, and remove any identified threats.
+- Restore the system from a known good backup if any critical system files or configurations have been altered.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected."""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "40155ee4-1e6a-4e4d-a63b-e8ba16980cfb"
+setup = """## Setup
+
+The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
+
+### LotL Attack Detection Setup
+The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
+
+#### Prerequisite Requirements:
+- Fleet is required for LotL Attack Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
+
+#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Living off the Land Attack Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_high_probability.toml

@@ -0,0 +1,118 @@
+[metadata]
+creation_date = "2023/10/16"
+integration = ["problemchild", "endpoint", "windows"]
+maturity = "production"
+updated_date = "2025/09/08"
+
+[rule]
+author = ["Elastic"]
+description = """
+A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high
+probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being
+malicious.
+"""
+from = "now-10m"
+index = ["logs-endpoint.events.process-*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
+
+The detection leverages a machine learning model, ProblemChild, to identify potentially malicious Windows processes by analyzing patterns and assigning a high probability score to suspicious activities. Adversaries may exploit legitimate processes to evade detection, often using techniques like masquerading. This rule flags high-risk events by focusing on processes with a high malicious probability score or those identified by a blocklist, excluding known benign activities.
+
+### Possible investigation steps
+
+- Review the process details flagged by the ProblemChild model, focusing on those with a prediction probability greater than 0.98 or identified by the blocklist.
+- Examine the command-line arguments of the suspicious process to identify any unusual or unexpected patterns, excluding those matching known benign patterns like "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.txt*" or "*C:\\\\WINDOWS\\\\temp\\\\nessus_*.tmp*".
+- Check the parent process of the flagged event to determine if it is a legitimate process or if it has been potentially compromised.
+- Investigate the user account associated with the process to assess if it has been involved in any other suspicious activities or if it has elevated privileges that could be exploited.
+- Correlate the event with other security alerts or logs to identify any related activities or patterns that could indicate a broader attack campaign.
+- Consult threat intelligence sources to determine if the process or its associated indicators are linked to known malicious activities or threat actors.
+
+### False positive analysis
+
+- Nessus scan files in the Windows temp directory may trigger false positives due to their temporary nature and frequent legitimate use. Users can mitigate this by adding exceptions for file paths like C:\\WINDOWS\\temp\\nessus_*.txt and C:\\WINDOWS\\temp\\nessus_*.tmp.
+- Legitimate software updates or installations might be flagged if they mimic known malicious patterns. Users should review the process details and whitelist trusted software update processes.
+- System administration tools that perform actions similar to those used in attacks could be misidentified. Users should verify the legitimacy of these tools and exclude them from the rule if they are part of regular administrative tasks.
+- Custom scripts or automation tools that are not widely recognized might be flagged. Users should ensure these scripts are secure and add them to an allowlist if they are part of routine operations.
+- Frequent false positives from specific processes can be managed by adjusting the threshold of the machine learning model or refining the blocklist to better distinguish between benign and malicious activities.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent further spread of potential malicious activity.
+- Terminate the suspicious process identified by the ProblemChild model to halt any ongoing malicious actions.
+- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats.
+- Review and analyze the process execution history and associated files to understand the scope of the compromise and identify any persistence mechanisms.
+- Restore any altered or deleted files from backups, ensuring that the backup is clean and free from malware.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
+- Implement enhanced monitoring and logging for similar processes and activities to detect and respond to future attempts at masquerading or defense evasion."""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 73
+rule_id = "994e40aa-8c85-43de-825e-15f665375ee8"
+setup = """## Setup
+
+The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
+
+### LotL Attack Detection Setup
+The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
+
+#### Prerequisite Requirements:
+- Fleet is required for LotL Attack Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
+
+#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
+"""
+severity = "high"
+tags = [
+    "OS: Windows",
+    "Data Source: Elastic Endgame",
+    "Use Case: Living off the Land Attack Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where ((problemchild.prediction == 1 and problemchild.prediction_probability > 0.98) or
+blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.004"
+name = "Masquerade Task or Service"
+reference = "https://attack.mitre.org/techniques/T1036/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_event_low_probability.toml

@@ -0,0 +1,118 @@
+[metadata]
+creation_date = "2023/10/16"
+integration = ["problemchild", "endpoint"]
+maturity = "production"
+updated_date = "2025/09/08"
+
+[rule]
+author = ["Elastic"]
+description = """
+A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with low
+probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being
+malicious.
+"""
+from = "now-10m"
+index = ["logs-endpoint.events.process-*", "winlogbeat-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score"
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "13e908b9-7bf0-4235-abc9-b5deb500d0ad"
+setup = """## Setup
+
+The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
+
+### LotL Attack Detection Setup
+The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
+
+#### Prerequisite Requirements:
+- Fleet is required for LotL Attack Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
+
+#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Configure the ingest pipeline**.
+"""
+severity = "low"
+tags = [
+    "OS: Windows",
+    "Data Source: Elastic Endgame",
+    "Use Case: Living off the Land Attack Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Defense Evasion",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where ((problemchild.prediction == 1 and problemchild.prediction_probability <= 0.98) or
+blocklist_label == 1) and not process.args : ("*C:\\WINDOWS\\temp\\nessus_*.txt*", "*C:\\WINDOWS\\temp\\nessus_*.tmp*")
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Machine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score
+
+The detection leverages a machine learning model to identify potentially suspicious Windows processes with a low likelihood of being malicious, focusing on defense evasion tactics like masquerading. Adversaries may exploit legitimate processes to bypass security measures. This rule flags such events, excluding known benign patterns, to highlight potential threats for further analysis.
+
+### Possible investigation steps
+
+- Review the process details where the problemchild.prediction is 1 and the prediction_probability is less than or equal to 0.98 to understand why the process was flagged as suspicious.
+- Check if the process is listed in the blocklist_label as 1, indicating it has been identified as malicious by the model's blocklist.
+- Investigate the command-line arguments of the process to identify any unusual or unexpected patterns, excluding known benign patterns such as those involving "C:\\WINDOWS\\temp\\nessus_*.txt" or "C:\\WINDOWS\\temp\\nessus_*.tmp".
+- Correlate the flagged process with other system events or logs to determine if it is part of a larger pattern of suspicious activity, focusing on defense evasion tactics like masquerading.
+- Assess the parent process and any child processes spawned by the suspicious process to identify potential lateral movement or further malicious activity.
+- Consult threat intelligence sources to see if the process or its associated indicators have been reported in recent threat reports or advisories.
+
+### False positive analysis
+
+- Nessus scan files in the Windows temp directory may trigger false positives. Exclude paths like C:\\WINDOWS\\temp\\nessus_*.txt and C:\\WINDOWS\\temp\\nessus_*.tmp to prevent these benign events from being flagged.
+- Legitimate software updates or installations might mimic suspicious behavior. Monitor and document regular update schedules to differentiate between expected and unexpected activities.
+- System administration scripts that automate tasks can appear suspicious. Identify and whitelist these scripts if they are part of routine operations to avoid unnecessary alerts.
+- Custom in-house applications may not be recognized by the model. Work with IT to catalog these applications and create exceptions where necessary to reduce false positives.
+- Regularly review and update the blocklist and exception rules to ensure they reflect the current environment and known benign activities.
+
+### Response and remediation
+
+- Isolate the affected system from the network to prevent potential lateral movement by the adversary exploiting the masquerading technique.
+- Terminate the suspicious process identified by the machine learning model to halt any ongoing malicious activity.
+- Conduct a thorough review of the process's parent and child processes to identify any additional suspicious activities or related processes that may require termination.
+- Restore the system from a known good backup if any malicious activity is confirmed, ensuring that the backup is free from compromise.
+- Update and patch the system to the latest security standards to close any vulnerabilities that may have been exploited.
+- Implement enhanced monitoring for similar masquerading attempts by adjusting alert thresholds or adding specific indicators of compromise (IOCs) related to the detected event.
+- Escalate the incident to the security operations center (SOC) or relevant security team for further analysis and to determine if additional systems are affected."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.004"
+name = "Masquerade Task or Service"
+reference = "https://attack.mitre.org/techniques/T1036/004/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/integrations/problemchild/defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml

@@ -0,0 +1,106 @@
+[metadata]
+creation_date = "2023/10/16"
+integration = ["problemchild", "endpoint", "windows"]
+maturity = "production"
+updated_date = "2025/03/20"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job combination has identified a host with one or more suspicious Windows processes that exhibit
+unusually high malicious probability scores.These process(es) have been classified as malicious in several ways. The
+process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of
+suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated
+to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity,
+possibly involving LOLbins, that may be resistant to detection using conventional search rules.
+"""
+from = "now-45m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "problem_child_high_sum_by_host"
+name = "Host Detected with Suspicious Windows Process(es)"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Host Detected with Suspicious Windows Process(es)
+
+The detection leverages machine learning to identify clusters of Windows processes with high malicious probability scores. Adversaries exploit legitimate tools, known as LOLbins, to evade detection. This rule uses both supervised and unsupervised ML models to flag unusual process clusters on a single host, indicating potential masquerading tactics for defense evasion.
+
+### Possible investigation steps
+
+- Review the host name associated with the suspicious process cluster to determine if it is a critical asset or has a history of similar alerts.
+- Examine the specific processes flagged by the ProblemChild supervised ML model to identify any known LOLbins or unusual command-line arguments that may indicate masquerading.
+- Check the timeline of the process execution to see if it coincides with any known scheduled tasks or user activity that could explain the anomaly.
+- Investigate the parent-child relationship of the processes to identify any unexpected or unauthorized process spawning patterns.
+- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activity.
+- Assess the network activity associated with the host during the time of the alert to detect any potential data exfiltration or communication with known malicious IP addresses.
+
+### False positive analysis
+
+- Legitimate administrative tools like PowerShell or Windows Management Instrumentation (WMI) may be flagged as suspicious due to their dual-use nature. Users can create exceptions for these tools when used by trusted administrators or during scheduled maintenance.
+- Automated scripts or scheduled tasks that perform routine system checks or updates might trigger alerts. Review these processes and whitelist them if they are verified as part of regular operations.
+- Software updates or installations that involve multiple processes spawning in a short time frame can be mistaken for malicious clusters. Ensure that these activities are documented and create exceptions for known update processes.
+- Development or testing environments where new or experimental software is frequently executed may generate false positives. Consider excluding these environments from monitoring or adjusting the sensitivity of the rule for these specific hosts.
+- Frequent use of remote desktop or remote management tools by IT staff can appear suspicious. Implement user-based exceptions for known IT personnel to reduce unnecessary alerts.
+
+### Response and remediation
+
+- Isolate the affected host immediately to prevent further spread of potential malicious activity. Disconnect it from the network to contain the threat.
+- Terminate the suspicious processes identified by the alert. Use task management tools or scripts to ensure all instances of the processes are stopped.
+- Conduct a thorough review of the host's system logs and process history to identify any additional indicators of compromise or related malicious activity.
+- Restore the host from a known good backup if available, ensuring that the backup is free from any signs of compromise.
+- Update and patch the host's operating system and all installed software to close any vulnerabilities that may have been exploited.
+- Implement application whitelisting to prevent unauthorized or suspicious processes from executing in the future.
+- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional hosts are affected."""
+references = [
+    "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html",
+    "https://docs.elastic.co/en/integrations/problemchild",
+    "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration",
+]
+risk_score = 21
+rule_id = "bdfebe11-e169-42e3-b344-c5d2015533d3"
+setup = """## Setup
+
+The rule requires the Living off the Land (LotL) Attack Detection integration assets to be installed, as well as Windows process events collected by integrations such as Elastic Defend or Winlogbeat.
+
+### LotL Attack Detection Setup
+The LotL Attack Detection integration detects living-off-the-land activity in Windows process events.
+
+#### Prerequisite Requirements:
+- Fleet is required for LotL Attack Detection.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+- Windows process events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) integration or Winlogbeat(https://www.elastic.co/guide/en/beats/winlogbeat/current/_winlogbeat_overview.html).
+- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+- To set up and run Winlogbeat, follow [this](https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation-configuration.html) guide.
+
+#### The following steps should be executed to install assets associated with the LotL Attack Detection integration:
+- Go to the Kibana homepage. Under Management, click Integrations.
+- In the query bar, search for Living off the Land Attack Detection and select the integration to see more details about it.
+- Follow the instructions under the **Installation** section.
+- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**.
+"""
+severity = "low"
+tags = [
+    "Use Case: Living off the Land Attack Detection",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Tactic: Defense Evasion",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+