Try in Splunk Security Cloud


The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Traffic
  • Last Updated: 2024-05-11
  • Author: Steven Dick
  • ID: 2820f032-19eb-497e-8642-25b04a880359




ID Technique Tactic
T1105 Ingress Tool Transfer Command And Control
T1567 Exfiltration Over Web Service Exfiltration
T1218 System Binary Proxy Execution Defense Evasion
Kill Chain Phase
  • Command and Control
  • Actions On Objectives
  • Exploitation
  • DE.CM
  • CIS 13
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where ( IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe")) by,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip 
| `drop_dm_object_name(All_Traffic)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rex field=app ".*\\\(?<process_name>.*)$" 
| rename app as process 
| `lolbas_with_network_traffic_filter`


The SPL above uses the following Macros:

:information_source: lolbas_with_network_traffic_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • Processes.user
  • Processes.process_id
  • Processes.process_name
  • Processes.process
  • Processes.process_path
  • Processes.dest
  • Processes.parent_process_name
  • Processes.parent_process
  • Processes.process_guid
  • All_Traffic.src
  • All_Traffic.src_ip
  • All_Traffic.dest
  • All_Traffic.dest_ip
  • All_Traffic.process_id

How To Implement

To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type.

Known False Positives

Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("","","","","0:0:0:0:0:0:0:1")

Associated Analytic Story


Risk Score Impact Confidence Message
25.0 50 50 The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2