Detection: LOLBAS With Network Traffic

Updated Date: 2024-12-16 ID: 2820f032-19eb-497e-8642-25b04a880359 Author: Steven Dick Type: TTP Product: Splunk Enterprise Security

Description

The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.

Search

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe", "*\\pwsh.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip 
3| `drop_dm_object_name(All_Traffic)` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| rex field=app ".*\\\(?<process_name>.*)$" 
7| rename app as process 
8| `lolbas_with_network_traffic_filter`

Data Source

Name	Platform	Sourcetype	Source
Sysmon EventID 3	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
lolbas_with_network_traffic_filter	`search *`

lolbas_with_network_traffic_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1105	Ingress Tool Transfer	Command And Control
T1567	Exfiltration Over Web Service	Exfiltration
T1218	System Binary Proxy Execution	Defense Evasion

Actions on Objectives

Command and Control

Exploitation

DE.CM

CIS 13

APT-C-36

APT18

APT28

APT29

APT3

APT32

APT33

APT37

APT38

APT39

APT41

Ajax Security Team

Andariel

Aquatic Panda

BITTER

BRONZE BUTLER

BackdoorDiplomacy

Chimera

Cinnamon Tempest

Cobalt Group

Confucius

Daggerfly

Darkhotel

Dragonfly

Elderwood

Evilnum

FIN13

FIN7

FIN8

Fox Kitten

GALLIUM

Gamaredon Group

Gorgon Group

HAFNIUM

HEXANE

INC Ransom

IndigoZebra

Indrik Spider

Ke3chang

Kimsuky

Lazarus Group

LazyScripter

Leviathan

LuminousMoth

Magic Hound

Metador

Molerats

Moonstone Sleet

Moses Staff

MuddyWater

Mustang Panda

Mustard Tempest

Nomadic Octopus

OilRig

PLATINUM

Patchwork

Play

Rancor

Rocke

Sandworm Team

SideCopy

Sidewinder

Silence

TA2541

TA505

TA551

TeamTNT

Threat Group-3390

Tonto Team

Tropic Trooper

Turla

Volatile Cedar

Volt Typhoon

WIRTE

Whitefly

Windshift

Winnti Group

Winter Vivern

Wizard Spider

ZIRCONIUM

menuPass

APT28

Magic Hound

Lazarus Group

Volt Typhoon

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app field. Relevant processes must also be ingested in the Endpoint data model with matching process_id field. Sysmon EID1 and EID3 are good examples of this type this data type.

Known False Positives

Legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1")

Associated Analytic Story

Living Off The Land

Risk Based Analytics (RBA)

Risk Message:

The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.

Risk Object	Risk Object Type	Risk Score	Threat Objects
src	system	25	dest_ip

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 6