Try in Splunk Security Cloud

Description

Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic, Risk
  • Last Updated: 2022-03-16
  • Author: Lou Stella, Splunk
  • ID: 6f7982e2-900b-11ec-a54a-acde48001122

Narrative

Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.

Detections

Name Technique Type
BITS Job Persistence BITS Jobs TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
Certutil exe certificate extraction   TTP
Control Loading from World Writable Directory System Binary Proxy Execution, Control Panel TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Detect HTML Help Renamed System Binary Proxy Execution, Compiled HTML File Hunting
Detect HTML Help Spawn Child Process System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help URL in Command Line System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help Using InfoTech Storage Handlers System Binary Proxy Execution, Compiled HTML File TTP
Detect MSHTA Url in Command Line System Binary Proxy Execution, Mshta TTP
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with No Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvr32 Application Control Bypass System Binary Proxy Execution, Regsvr32 TTP
Detect Rundll32 Application Control Bypass - advpack System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - setupapi System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - syssetup System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP
Detect mshta inline hta execution System Binary Proxy Execution, Mshta TTP
Detect mshta renamed System Binary Proxy Execution, Mshta Hunting
Disable Schedule Task Disable or Modify Tools, Impair Defenses TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution TTP
Living Off The Land Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services Correlation
MacOS LOLbin Unix Shell, Command and Scripting Interpreter TTP
MacOS plutil Plist File Modification TTP
Mmc LOLBAS Execution Process Spawn Remote Services, Distributed Component Object Model, MMC TTP
Mshta spawning Rundll32 OR Regsvr32 Process System Binary Proxy Execution, Mshta TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow TTP
Regsvr32 Silent and Install Param Dll Loading System Binary Proxy Execution, Regsvr32 Anomaly
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Anomaly
Remote WMI Command Attempt Windows Management Instrumentation TTP
RunDLL Loading DLL By Ordinal System Binary Proxy Execution, Rundll32 TTP
Rundll32 Control RunDLL Hunt System Binary Proxy Execution, Rundll32 Hunting
Rundll32 Control RunDLL World Writable Directory System Binary Proxy Execution, Rundll32 TTP
Rundll32 Create Remote Thread To A Process Process Injection TTP
Rundll32 CreateRemoteThread In Browser Process Injection TTP
Rundll32 DNSQuery System Binary Proxy Execution, Rundll32 TTP
Rundll32 Process Creating Exe Dll Files System Binary Proxy Execution, Rundll32 TTP
Rundll32 Shimcache Flush Modify Registry TTP
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Creation on Remote Endpoint using At Scheduled Task/Job, At TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Scheduled Task Initiation on Remote Endpoint Scheduled Task/Job, Scheduled Task TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service TTP
Suspicious IcedID Rundll32 Cmdline System Binary Proxy Execution, Rundll32 TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Hunting
Suspicious MSBuild Spawn Trusted Developer Utilities Proxy Execution, MSBuild TTP
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 TTP
Suspicious Rundll32 dllregisterserver System Binary Proxy Execution, Rundll32 TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious microsoft workflow compiler usage Trusted Developer Utilities Proxy Execution TTP
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious mshta child process System Binary Proxy Execution, Mshta TTP
Suspicious mshta spawn System Binary Proxy Execution, Mshta TTP
Svchost LOLBAS Execution Process Spawn Scheduled Task/Job, Scheduled Task TTP
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Windows Binary Proxy Execution Mavinject DLL Injection Mavinject, System Binary Proxy Execution TTP
Windows Bits Job Persistence BITS Jobs TTP
Windows Bitsadmin Download File BITS Jobs, Ingress Tool Transfer TTP
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Event Triggered Execution TTP
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Event Triggered Execution TTP
Windows CertUtil Decode File Deobfuscate/Decode Files or Information TTP
Windows CertUtil URLCache Download Ingress Tool Transfer TTP
Windows CertUtil VerifyCtl Download Ingress Tool Transfer TTP
Windows DLL Search Order Hijacking Hunt DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Search Order Hijacking with iscsicpl DLL Search Order Hijacking TTP
Windows Defender Tools in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Diskshadow Proxy Execution System Binary Proxy Execution TTP
Windows Diskshadow Proxy Execution System Binary Proxy Execution Anomaly
Windows Identify Protocol Handlers Command and Scripting Interpreter Hunting
Windows Indirect Command Execution Via forfiles Indirect Command Execution TTP
Windows Indirect Command Execution Via pcalua Indirect Command Execution TTP
Windows InstallUtil Remote Network Connection InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil URL in Command Line InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option with Network InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows Known Abused DLL Created DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow Anomaly
Windows MOF Event Triggered Execution via WMI Windows Management Instrumentation Event Subscription TTP
Windows MSHTA Child Process Mshta, System Binary Proxy Execution TTP
Windows MSHTA Command-Line URL Mshta, System Binary Proxy Execution TTP
Windows MSHTA Inline HTA Execution Mshta, System Binary Proxy Execution TTP
Windows OS Credential Dumping with Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Windows Odbcconf Hunting Odbcconf Hunting
Windows Odbcconf Load DLL Odbcconf TTP
Windows Odbcconf Load Response File Odbcconf TTP
Windows Odbcconf Load Response File Odbcconf, System Binary Proxy Execution TTP
Windows PowerShell Start-BitsTransfer BITS Jobs, Ingress Tool Transfer TTP
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution, Process Injection TTP
Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities At exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path Masquerading, Rename System Utilities Anomaly
Windows Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP
Windows Script Host Spawn MSBuild MSBuild, Trusted Developer Utilities Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File URL In Command Line Compiled HTML File, System Binary Proxy Execution TTP
Windows System Binary Proxy Execution Compiled HTML File Using InfoTech Storage Handlers Compiled HTML File, System Binary Proxy Execution TTP
Windows System Script Proxy Execution Syncappvpublishingserver System Script Proxy Execution, System Binary Proxy Execution TTP
Windows UAC Bypass Suspicious Child Process Abuse Elevation Control Mechanism, Bypass User Account Control TTP
Windows UAC Bypass Suspicious Escalation Behavior Abuse Elevation Control Mechanism, Bypass User Account Control TTP
Windows WMIPrvse Spawn MSBuild Trusted Developer Utilities Proxy Execution, MSBuild TTP

Reference

source | version: 2