Unusual Process For a Windows Host
editUnusual Process For a Windows Host
editIdentifies rare processes that do not usually run on individual hosts, which can indicate execution of unauthorized services, malware, or persistence mechanisms. Processes are considered rare when they only run occasionally as compared with other processes running on the host.
Rule type: machine_learning
Machine learning job: v3_rare_process_by_host_windows
Machine learning anomaly threshold: 50
Severity: low
Risk score: 21
Runs every: 15 minutes
Searches indices from: now-45m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- ML
- Persistence
- has_guide
Version: 101 (version history)
Added (Elastic Stack release): 7.7.0
Last modified (Elastic Stack release): 8.5.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editA newly installed program or one that runs rarely as part of a monthly or quarterly workflow could trigger this alert.
Investigation guide
edit## Triage and analysis ### Investigating an Unusual Windows Process Searching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors. #### Possible investigation steps: - Consider the user as identified by the `user.name` field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process only manifested recently, it might be part of a new software package. If it has a consistent cadence (for example if it runs monthly or quarterly), it might be part of a monthly or quarterly business process. - Examine the process metadata like the values of the Company, Description and Product fields which may indicate whether the program is associated with an expected software vendor or package. - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. ### False Positive Analysis - Validate the unusual Windows process is not related to new benign software installation activity. If related to legitimate software, this can be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment. - Try to understand the context of the execution by thinking about the user, machine, or business purpose. It's possible that a small number of endpoints such as servers that have very unique software that might appear to be unusual, but satisfy a specific business need. ### Related Rules - Anomalous Windows Process Creation - Unusual Windows Path Activity - Unusual Windows Process Calling the Metadata Service ### Response and Remediation - This rule is related to process execution events and should be immediately reviewed and investigated to determine if malicious. - Based on validation and if malicious, the impacted machine should be isolated and analyzed to determine other post-compromise behavior such as setting up persistence or performing lateral movement. - Look into preventive measures such as Windows Defender Application Control and AppLocker to gain better control on what is allowed to run on Windows infrastructure.
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Create or Modify System Process
- ID: T1543
- Reference URL: https://attack.mitre.org/techniques/T1543/
Rule version history
edit- Version 101 (8.5.0 release)
-
- Formatting only
- Version 12 (8.4.0 release)
-
- Formatting only
- Version 11 (8.3.0 release)
-
- Formatting only
- Version 10 (8.2.0 release)
-
- Formatting only
- Version 9 (8.1.0 release)
-
- Formatting only
- Version 8 (7.16.0 release)
-
- Formatting only
- Version 7 (7.15.0 release)
-
- Formatting only
- Version 6 (7.14.0 release)
-
- Formatting only
- Version 5 (7.13.0 release)
-
- Formatting only
- Version 4 (7.12.0 release)
-
- Formatting only
- Version 3 (7.10.0 release)
-
- Formatting only
- Version 2 (7.9.0 release)
-
- Formatting only