Elastic Security Detection Rules

Unusual Process Spawned by a User

Last updated 15 days ago on 2025-03-20
Created a year ago on 2023-10-16

About

A machine learning job has detected a suspicious Windows process. This process has been classified as malicious in two ways. It was predicted to be malicious by the ProblemChild supervised ML model, and it was found to be suspicious given that its user context is unusual and does not commonly manifest malicious activity,by an unsupervised ML model. Such a process may be an instance of suspicious or malicious activity, possibly involving LOLbins, that may be resistant to detection using conventional search rules.
Tags
Domain: EndpointOS: WindowsUse Case: Living off the Land Attack DetectionRule Type: MLRule Type: Machine LearningTactic: Defense Evasion
Severity
low
Risk Score
21
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

Masquerading (T1036)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Machine Learning
Integration Pack
Prebuilt Security Detection Rules
Related Integrations

problemchild(opens in a new tab or window)

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

Query

Install detection rules in Elastic Security

Detect Unusual Process Spawned by a User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).