You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.
Last updated: Apr 10th, 2023

Living off the Land Attack Detection

ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription.

What is an Elastic integration?

This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.

Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.

The Living off the Land Attack (LotL) Detection package contains a supervised machine learning model, called ProblemChild and associated assets, which are used to detect living off the land (LotL) activity in your environment. This package requires a Platinum subscription. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding. This package is licensed under Elastic License v 1.0.

Configuration

To download the assets, click Settings > Install Living off the Land Attack Detection assets.

Follow these instructions to ingest data with the ingest pipeline and enrich your indices with inference data. Then use these detection rules and anomaly detection jobs to detect LotL attacks. For more detailed information refer to this blog.

(Required) Set up the ingest pipeline

Once you’ve installed the package you can ingest your data using the ingest pipeline. This will enrich your incoming data with its predictions from the machine learning model.

This pipeline is designed to work with Winlogbeat data.

(Optional) Add preconfigured anomaly detection jobs

Create a data view for the indices that are enriched by the pipeline.

In Machine Learning > Anomaly Detection, when you create a job, you should see an option to Use preconfigured jobs with a card for Living off the Land Detection. When you select the card, you will see several pre-configured anomaly detection jobs that you can enable depending on what makes the most sense for your environment. Note these jobs are only useful for indices that have been enriched by the ingest pipeline.

(Optional) Enable Security rules

In order to maximize the benefit of the LotL Detection framework, you might consider activating detection rules that are triggered when certain conditions for the supervised model or anomaly detection jobs are satisfied. See the documentation for more information on importing and enabling the rules.

Note that there are search rules as well as ML job rules.

Anomaly Detection Jobs

Detects potential LotL activity by identifying malicious processes.

JobDescription
problem_child_rare_process_by_host
Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity. This is an experimental job and is therefore unsupported.
problem_child_high_sum_by_host
Looks for a set of one or more malicious child processes on a single host. This is an experimental job and is therefore unsupported.
problem_child_rare_process_by_user
Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity. This is an experimental job and is therefore unsupported.
problem_child_rare_process_by_parent
Looks for rare malicious child processes spawned by a parent process. This is an experimental job and is therefore unsupported.
problem_child_high_sum_by_user
Looks for a set of one or more malicious processes, started by the same user. This is an experimental job and is therefore unsupported.
problem_child_high_sum_by_parent
Looks for a set of one or more malicious child processes spawned by the same parent process. This is an experimental job and is therefore unsupported.

Security Detection Rules

RuleDescription
Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity
A supervised machine learning model (ProblemChild) or its blocklist has identified a suspicious Windows process event to be malicious activity.
Unusual Process Spawned By a Host
A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual process, on a host that does not commonly manifest malicious activity. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
Suspicious Windows Process Cluster Spawned by a Host
A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same host name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
A supervised machine learning model (ProblemChild) has identified a suspicious Windows process event with high probability of it being malicious activity. Alternatively, the model's blocklist identified the event as being malicious.
Suspicious Windows Process Cluster Spawned by a Parent Process
A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same parent process name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
Unusual Process Spawned By a User
A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
Unusual Process Spawned By a Parent Process
A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be an unusual child process name, for the parent process, by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
Suspicious Windows Process Cluster Spawned by a User
A machine learning job combination has detected a set of one or more suspicious Windows processes with unusually high scores for malicious probability. These process(es) have been classified as malicious in several ways. The process(es) were predicted to be malicious by the ProblemChild supervised ML model. If the anomaly contains a cluster of suspicious processes, each process has the same user name, and the aggregate score of the event cluster was calculated to be unusually high by an unsupervised ML model. Such a cluster often contains suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.

Licensing

Usage in production requires that you have a license key that permits use of machine learning features.

Changelog

VersionDetails
1.0.0
Enhancement View pull request
Update version number to follow GA format and to improve visibility
0.0.5
Enhancement View pull request
Cleaning up ML job groups and rule tags, documentation updates
0.0.4
Bug fix View pull request
Fix the ML jobs query.
0.0.3
Bug fix View pull request
Add a LotL tag to all rules, fix a script in the inference pipeline, update ML job configs.
0.0.2
Bug fix View pull request
Update ProblemChild integration Readme
0.0.1
Enhancement View pull request
Initial release of the package