You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.

Living off the Land Attack Detection

ML solution package to detect Living off the Land (LotL) attacks in your environment. Requires a Platinum subscription.

Version
2.1.3 (View all)
Compatible Kibana version(s)
8.9.0 or higher
Supported Serverless project types

Security
Subscription level
Platinum
Level of support
Elastic

The Living off the Land Attack (LotL) Detection package contains a supervised machine learning model, called ProblemChild and associated assets, which are used to detect living off the land (LotL) activity in your environment. This package requires a Platinum subscription. Please ensure that you have a Trial or Platinum level subscription installed on your cluster before proceeding. This package is licensed under Elastic License 2.0.

For more detailed information refer to the following blogs and webinar:

Installation

  1. Upgrading: If upgrading from a version below v2.0.0, see the section v2.0.0 and beyond.
  2. Add the Integration Package: Install the package via Management > Integrations > Add Living off the Land Detection. Configure the integration name and agent policy. Click Save and Continue.
  3. Install assets: Install the assets by clicking Settings > Install Living off the Land Detection assets.
  4. Configure the ingest pipeline: Once you’ve installed the package you can ingest your data using the ingest pipeline via the ingest pipeline. This will enrich your incoming data with its predictions from the machine learning model.
    • If using an Elastic Beat such as Winlogbeat, add the ingest pipeline to it by adding a simple configuration setting to winlogbeat.yml.
    • If adding the ingest pipeline to an existing pipeline, use a pipeline processor. For example, you can check if winlogbeat, default index pattern winlogbeat-*, or Elastic Defend, the default index pattern being logs-endpoint*, already has an ingest pipeline by navigating to Stack Management > Data > Index Management, finding the index (sometimes you need to toggle "Include hidden indices"), and checking the index's settings for a default or final pipeline.
    • To enable the enrichment policy as the default pipeline on an index, you can use this example and replace INDEX_NAME with the desired index:
    POST INDEX_NAME/_settings
    {
      "index" : {
        "default_pipeline" : "<VERSION>-problem_child_ingest_pipeline"
      }
    }
  5. Add preconfigured anomaly detection jobs: In Machine Learning > Anomaly Detection, when you create a job, you should see an option to Use preconfigured jobs with a card for Living off the Land Attack Detection. When you select the card, you will see several pre-configured anomaly detection jobs that you can enable depending on what makes the most sense for your environment. Warning: if the ingest pipeline hasn't run for some reason, such as no eligible data has come in yet, you won't be able to see this card yet. If that is the case, try troubleshooting the ingest pipeline, and if any predictions have been populated yet.
  6. Enable detection rules: You can also enable detection rules to alert on LotL activity in your environment, based on anomalies flagged by the above ML jobs. As of version 2.0.0 of this package, these rules are available as part of the Detection Engine, and can be found using the tag Use Case: Living off the Land Attack Detection. See this documentation for more information on importing and enabling the rules.

In Security > Rules, filtering with the “Use Case: Living off the Land Attack Detection” tag

Anomaly Detection Jobs

Detects potential LotL activity by identifying malicious processes.

JobDescription
problem_child_rare_process_by_host
Looks for a process that has been classified as malicious on a host that does not commonly manifest malicious process activity.
problem_child_high_sum_by_host
Looks for a set of one or more malicious child processes on a single host.
problem_child_rare_process_by_user
Looks for a process that has been classified as malicious where the user context is unusual and does not commonly manifest malicious process activity.
problem_child_rare_process_by_parent
Looks for rare malicious child processes spawned by a parent process.
problem_child_high_sum_by_user
Looks for a set of one or more malicious processes, started by the same user.
problem_child_high_sum_by_parent
Looks for a set of one or more malicious child processes spawned by the same parent process.

v2.0.0 and beyond

v2.0.0 of the package introduces breaking changes, namely deprecating detection rules from the package. To continue receiving updates to LotL Detection, we recommend upgrading to v2.0.0 after doing the following:

  • Uninstall existing rules associated with this package: Navigate to Security > Rules and delete the following rules:
    • Machine Learning Detected a Suspicious Windows Event Predicted to be Malicious Activity
    • Unusual Process Spawned By a Host
    • Suspicious Windows Process Cluster Spawned by a Host
    • Machine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score
    • Suspicious Windows Process Cluster Spawned by a Parent Process
    • Unusual Process Spawned By a User
    • Unusual Process Spawned By a Parent Process
    • Suspicious Windows Process Cluster Spawned by a User

Depending on the version of the package you're using, you might also be able to search for the above rules using the tag Living off the Land.

  • Upgrade the LotL package to v2.0.0 using the steps here
  • Install the new rules as described in the Enable detection rules section below

In version 2.1.1, the package ignores data in cold and frozen data tiers to reduce heap memory usage, avoid running on outdated data, and to follow best practices.

Licensing

Usage in production requires that you have a license key that permits use of machine learning features.

Changelog

VersionDetailsKibana version(s)

2.1.3

Enhancement View pull request
Improve package installation documentation

8.9.0 or higher

2.1.2

Enhancement View pull request
Remove "experimental" messaging from docs

8.9.0 or higher

2.1.1

Enhancement View pull request
Add query settings to ignore frozen and cold data tiers

8.9.0 or higher

2.1.0

Enhancement View pull request
Add serverless support

8.9.0 or higher

2.0.0

Enhancement View pull request
Moving detection rules to the detection-rules repo, bumped license version, subscription tier

8.9.0 or higher

1.1.2

Enhancement View pull request
Convert detection rules to EQL

8.0.0 or higher

1.1.1

Bug fix View pull request
Update blog post link and minor bug fixes

8.0.0 or higher

1.1.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

8.0.0 or higher

1.0.1

Enhancement View pull request
Add the Advanced Analytics (UEBA) subcategory

8.0.0 or higher

1.0.0

Enhancement View pull request
Update version number to follow GA format and to improve visibility

8.0.0 or higher

0.0.5

Enhancement View pull request
Cleaning up ML job groups and rule tags, documentation updates

0.0.4

Bug fix View pull request
Fix the ML jobs query.

0.0.3

Bug fix View pull request
Add a LotL tag to all rules, fix a script in the inference pipeline, update ML job configs.

0.0.2

Bug fix View pull request
Update ProblemChild integration Readme

0.0.1

Enhancement View pull request
Initial release of the package

On this page