Living off the Land Attack Detection

The Living off the Land Attack (LotL) Detection package contains a supervised machine learning model, called ProblemChild and associated assets, which are used to detect living off the land (LotL) activity in your environment. This package requires a Platinum subscription. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding. This package is licensed under Elastic License 2.0.

This package supports Windows data from Elastic Defend and Winlogbeat only, although Elastic Defend is strongly recommended. Other integrations do not capture all the process event fields used to train the ProblemChild model, which might lead to incomplete data and potentially degraded prediction quality. Before using this integration, Elastic Defend should be installed through Elastic Agent (or Winlogbeat should be enrolled) and collecting data from hosts. See Configure endpoint protection with Elastic Defend for more information.

The following blogs and webinar provide additional context. For the most current installation instructions, always follow the steps in this guide.

• Detecting Living-off-the-land attacks with new Elastic Integration
• ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack
• ProblemChild: Generate alerts to detect living-off-the-land attacks
• Webinar: ProblemChild: Detecting living-off-the-land attacks using the Elastic Stack

1. Upgrading: If upgrading from a version below v3.0.0, see the section v3.0.0 and beyond.

2. Add the Integration Package: Install the package via Management > Integrations > Add Living off the Land Detection. Configure the integration name and agent policy. Click Save and Continue. (Note that this integration does not rely on an agent, and can be assigned to a policy without an agent.)

3. Install assets: Install the assets by clicking Settings > Install Living off the Land Detection assets.

4. Configure the pipeline: To configure the pipeline you can use one of the following steps:

   • If using Elastic Defend, add a custom pipeline to the data stream. Go to Stack Management > Ingest Pipelines, and check if the pipeline logs-endpoint.events.process@custom exists. If it does not exist, you can create it by running the following command in the Dev Console. Be sure to replace <VERSION> with the current package version.

     PUT _ingest/pipeline/logs-endpoint.events.process@custom
     {
       "processors": [
         {
           "pipeline": {
             "name": "<VERSION>-problem_child_ingest_pipeline",
             "ignore_missing_pipeline": true,
             "ignore_failure": true
           }
         }
       ]
     }
     		

   • If logs-endpoint.events.process@custom already exists, select the three dots next to it and choose Edit. Click Add a processor. Select Pipeline for Processor, enter <VERSION>-problem_child_ingest_pipeline for name (replacing <VERSION> with the current package version), and check Ignore missing pipeline and Ignore failures for this processor. Select Add Processor.
   • If using Winlogbeat, see the next step on how to add the ingest pipeline as part of the component template

5. Add the required mappings to the component template: Go to Stack Management > Index Management > Component Templates. Templates that can be edited to add custom components will be marked with a @custom suffix. For instance, the custom component template for Elastic Defend process events is logs-endpoint.events.process@custom. Note: Do not attempt to edit the @package template if present.

   Elastic Defend

   • If the @custom component template does not exist, you can execute the following command in the Dev Console to create it and then continue to the Rollover section in these instructions. Be sure to change <VERSION> to the current package version.

     PUT _component_template/{COMPONENT_TEMPLATE_NAME}@custom
     {
       "template": {
         "mappings": {
           "properties": {
             "blocklist_label": {
               "type": "long"
             },
             "problemchild": {
               "type": "object",
               "properties": {
                 "prediction": {
                   "type": "long"
                 },
                 "prediction_probability": {
                   "type": "float"
                 }
               }
             }
           }
         }
       }
     }
     		

   • If the @custom component template already exists, you will need to edit it to add mappings for data to be properly enriched. Click the three dots next to it and select Edit.
   • Proceed to the mappings step in the UI. Click Add Field at the bottom of the page and create a blocklist_label field of type Long:
   • Then create an Object field for problemchild.
   • Finally create two properties under ProblemChild.
   • The first for prediction of type Long and then for prediction_probability or type Float.
   • Your component mappings should look like the following:
   • Click Review then Save Component Template.

   Winlogbeat

   • If using an Elastic Beat such as Winlogbeat, create a new component template with a name like winlogbeat-problemchild-<VERSION>, replacing <VERSION> with the current package version. You can do this by executing the following command in the Dev Tools:

     PUT _component_template/winlogbeat-problemchild-<VERSION>
     {
       "template": {
         "mappings": {
           "properties": {
             "blocklist_label": {
               "type": "long"
             },
             "problemchild": {
               "type": "object",
               "properties": {
                 "prediction": {
                   "type": "long"
                 },
                 "prediction_probability": {
                   "type": "float"
                 }
               }
             }
           }
         },
         "settings": {
           "index": {
             "final_pipeline": "<VERSION>-problem_child_ingest_pipeline"
           }
         }
       }
     }
     		

   • Then, after creating the component template, you will need to add it to the appropriate index template. Navigate to Stack Management > Data > Index Management > Index Templates. Find the index template winlogbeat-{WINLOGBEAT_VERSION} for the Winlogbeat version that you are using and click Edit. Then click on Component templates. Add the winlogbeat-problemchild-<VERSION> component template that was created in the previous step. Click Review template then Save template.

6. Rollover Depending on your environment, you may need to rollover in order for these mappings to get picked up. The deault index pattern for Elastic Defend is logs-endpoint.events.process-default and winlogbeat-<WINLOGBEAT_VERSION> for Winlogbeat.

   POST INDEX_NAME/_rollover
   		

7. (Optional) Create a data view specificially for your windows process logs (index pattern or data stream name)

8. Add preconfigured anomaly detection jobs: In Stack Management -> Anomaly Detection Jobs, you will see Select data view or saved search. Select the data view created in the previous step. Then under Use preconfigured jobs you will see Living off the Land Attack Detection. When you select the card, you will see several pre-configured anomaly detection jobs that you can create depending on what makes the most sense for your environment. Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data has come in yet, or the required mapping has not been added, you won't be able to see this card yet. If that is the case, try troubleshooting the ingest pipeline, and if any predictions have been populated yet.

You can also enable detection rules to alert on LotL activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag Use Case: Living off the Land Attack Detection. See this documentation for more information on importing and enabling the rules.

In Security > Rules, filtering with the “Use Case: Living off the Land Attack Detection” tag

Detects potential LotL activity by identifying malicious processes.

To customize the datafeed query and other settings such as model memory limit, frequency, query delay, bucket span and influencers for the Living off the Land Attack Detection ML jobs, follow the steps below.

1. To update the datafeed query, stop the datafeed and select Edit job from the Actions menu.
2. In the Edit job window, navigate to the Datafeed section and update the query filters. You can add or remove field values to help reduce noise and false positives based on your environment.
3. You may also update the model memory limit if your environment has high data volume or if the job requires additional resources. Go to the Job details section and update the Model memory limit and hit Save. For more information on resizing ML jobs, refer to the documentation.
4. In order to do more advanced changes to your job, clone the job by selecting Clone job from the Actions menu.
5. In the cloned job, you can update datafeed settings such as Frequency and Query delay, which help control how often data is analyzed and account for ingestion delays.
6. You can also modify the job configuration by adjusting the Bucket span and by adding or removing Influencers to improve anomaly attribution.
7. Finally, assign a new Job ID, and click on Create job, and start the datafeed to apply the updated settings.

v3.0.0 of this package requires Elastic Stack version 9.4 or later. It introduces support for Entity Analytics (EA), adding new fields for proper entity resolution.

• This package installs new ML jobs which include _ea suffix in their names, as outlined below. New detection rules are also included.
• Previously installed ML jobs and rules will continue to run, allowing time to transition to the new Entity Analytics assets.
• Important: We recommend installing the new ML jobs and verifying that they are properly set up, collecting data, and generating anomalies before deleting the old jobs and upgrading to the new version of the detection rules available in 9.4. The new detection rules reference ML job IDs with the _ea suffix and are not compatible with older versions of the jobs.

The new Entity Analytics ML job IDs are:

• problem_child_rare_process_by_host_ea
• problem_child_high_sum_by_host_ea
• problem_child_rare_process_by_user_ea
• problem_child_rare_process_by_parent_ea
• problem_child_high_sum_by_user_ea
• problem_child_high_sum_by_parent_ea

After confirming the new Entity Analytics ML jobs are running correctly, you can remove the following deprecated assets that have been superseded by the new Entity Analytics versions (Elastic stack 9.4+):

• Delete old ML jobs: Navigate to Stack Management -> Anomaly Detection Jobs and delete the following jobs:
  • problem_child_rare_process_by_host
  • problem_child_high_sum_by_host
  • problem_child_rare_process_by_user
  • problem_child_rare_process_by_parent
  • problem_child_high_sum_by_user
  • problem_child_high_sum_by_parent

v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to LotL Detection, we recommend upgrading to v2.0.0 after doing the following:

• Uninstall existing rules associated with this package: Navigate to Security > Rules and delete the following rules:
  • Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity
  • Unusual Process Spawned By a Host
  • Suspicious Windows Process Cluster Spawned by a Host
  • Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
  • Suspicious Windows Process Cluster Spawned by a Parent Process
  • Unusual Process Spawned By a User
  • Unusual Process Spawned By a Parent Process
  • Suspicious Windows Process Cluster Spawned by a User

Depending on the version of the package you're using, you might also be able to search for the above rules using the tag Living off the Land.

• Upgrade the LotL package to v2.0.0 using the steps here
• Install the new rules as described in the Enable detection rules section below

Usage in production requires that you have a license key that permits use of machine learning features.

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

×