Analytics Story: Living Off The Land

Updated Date: 2026-05-13 ID: 6f7982e2-900b-11ec-a54a-acde48001122 Author: Lou Stella, Splunk Product: Splunk Enterprise Security

Description

Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.

Why it matters

Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.

Correlation Search

Living Off The Land Detection

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count FROM datamodel=Risk.All_Risk
2  WHERE All_Risk.analyticstories="Living Off The Land" All_Risk.risk_object_type="system"
3  BY All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
4| `drop_dm_object_name(All_Risk)`
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| where source_count >= 5
8| `living_off_the_land_detection_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Detect HTML Help Renamed	Compiled HTML File	Hunting
Eventvwr UAC Bypass	Bypass User Account Control	TTP
Rundll32 Create Remote Thread To A Process	Process Injection	TTP
Windows InstallUtil in Non Standard Path	Rename Legitimate Utilities, InstallUtil	TTP
Detect HTML Help Using InfoTech Storage Handlers	Compiled HTML File	TTP
Esentutl SAM Copy	Security Account Manager	Hunting
Windows Odbcconf Load Response File	Odbcconf	TTP
Suspicious Regsvr32 Register Suspicious Path	Regsvr32	TTP
Rundll32 CreateRemoteThread In Browser	Process Injection	TTP
Ntdsutil Export NTDS	NTDS	TTP
Schedule Task with HTTP Command Arguments	Scheduled Task/Job	TTP
Suspicious MSBuild Spawn	MSBuild	TTP
Detect HTML Help Spawn Child Process	Compiled HTML File	TTP
Windows Rundll32 with Non-Standard File Extension	Rundll32	Anomaly
Suspicious MSBuild Rename	Rename Legitimate Utilities, MSBuild	Hunting
Detect MSHTA Url in Command Line	Mshta	TTP
Mmc LOLBAS Execution Process Spawn	Distributed Component Object Model, MMC	TTP
Disable Schedule Task	Disable or Modify Tools	Anomaly
Suspicious microsoft workflow compiler usage	Trusted Developer Utilities Proxy Execution	TTP
Detect mshta renamed	Mshta	Hunting
Detect Rundll32 Inline HTA Execution	Mshta	TTP
Detect Regasm Spawning a Process	Regsvcs/Regasm	TTP
Detect HTML Help URL in Command Line	Compiled HTML File	TTP
Windows Odbcconf Load DLL	Odbcconf	TTP
BITS Job Persistence	BITS Jobs	TTP
Windows Odbcconf Hunting	Odbcconf	Hunting
WSReset UAC Bypass	Bypass User Account Control	TTP
Services LOLBAS Execution Process Spawn	Windows Service	TTP
Detect Regsvcs with No Command Line Arguments	Regsvcs/Regasm	TTP
Windows Application Whitelisting Bypass Attempt via Rundll32	Rundll32	TTP
Windows LOLBAS Executed Outside Expected Path	Match Legitimate Resource Name or Location, Rundll32	Anomaly
Schedule Task with Rundll32 Command Trigger	Scheduled Task/Job	TTP
Windows Diskshadow Proxy Execution	System Binary Proxy Execution	TTP
Windows InstallUtil URL in Command Line	InstallUtil	TTP
Detect mshta inline hta execution	Mshta	TTP
Windows File Download Via CertUtil	Ingress Tool Transfer	TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile	Compiled HTML File	TTP
Suspicious mshta child process	Mshta	TTP
Svchost LOLBAS Execution Process Spawn	Scheduled Task	TTP
Detect Regsvr32 Application Control Bypass	Regsvr32	TTP
Windows Indirect Command Execution Via forfiles	Indirect Command Execution	TTP
Windows Scheduled Task Created in a Group Policy Object	Scheduled Task, Group Policy Modification	TTP
Windows MOF Event Triggered Execution via WMI	Windows Management Instrumentation Event Subscription	TTP
Suspicious IcedID Rundll32 Cmdline	Rundll32	TTP
Regsvr32 Silent and Install Param Dll Loading	Regsvr32	Anomaly
Dump LSASS via comsvcs DLL	LSASS Memory	TTP
Regsvr32 with Known Silent Switch Cmdline	Regsvr32	Anomaly
Scheduled Task Deleted Or Created via CMD	Scheduled Task	Anomaly
Windows InstallUtil Remote Network Connection	InstallUtil	Anomaly
Windows Binary Proxy Execution Mavinject DLL Injection	Mavinject	TTP
Windows Crowdstrike RTR Script Execution	PowerShell	Anomaly
Windows LOLBAS Executed As Renamed File	Rename Legitimate Utilities, Rundll32	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task	Anomaly
Windows Indirect Command Execution Via pcalua	Indirect Command Execution	TTP
Detect Regasm with no Command Line Arguments	Regsvcs/Regasm	TTP
Suspicious msbuild path	Rename Legitimate Utilities, MSBuild	TTP
Windows DLL Search Order Hijacking with iscsicpl	DLL	TTP
Scheduled Task Creation on Remote Endpoint using At	At	TTP
Detect Regsvcs Spawning a Process	Regsvcs/Regasm	TTP
Windows UAC Bypass Suspicious Child Process	Bypass User Account Control	TTP
Mshta spawning Rundll32 OR Regsvr32 Process	Mshta	TTP
Suspicious Rundll32 dllregisterserver	Rundll32	TTP
LOLBAS With Network Traffic	Ingress Tool Transfer, System Binary Proxy Execution, Exfiltration Over Web Service	TTP
Windows COM Hijacking InprocServer32 Modification	Component Object Model Hijacking	TTP
RunDLL Loading DLL By Ordinal	Rundll32	TTP
Control Loading from World Writable Directory	Control Panel	TTP
Rundll32 Process Creating Exe Dll Files	Rundll32	TTP
Windows InstallUtil Uninstall Option	InstallUtil	TTP
Detect Regsvcs with Network Connection	Regsvcs/Regasm	TTP
MacOS LOLbin	Unix Shell	TTP
Windows MSC EvilTwin Directory Path Manipulation	Match Legitimate Resource Name or Location, Exploitation for Client Execution, System Binary Proxy Execution	TTP
Suspicious microsoft workflow compiler rename	Rename Legitimate Utilities, Trusted Developer Utilities Proxy Execution	Hunting
Certutil exe certificate extraction	Steal or Forge Authentication Certificates	TTP
Reg exe Manipulating Windows Services Registry Keys	Services Registry Permissions Weakness	TTP
Windows Identify Protocol Handlers	Command and Scripting Interpreter	Hunting
BITSAdmin Download File	Ingress Tool Transfer, BITS Jobs	TTP
Windows UAC Bypass Suspicious Escalation Behavior	Bypass User Account Control	TTP
Curl Execution with Percent Encoded URL	Obfuscated Files or Information, Ingress Tool Transfer	Anomaly
Remote WMI Command Attempt	Windows Management Instrumentation	TTP
Suspicious mshta spawn	Mshta	TTP
Windows DLL Search Order Hijacking Hunt with Sysmon	DLL	Hunting
Detect Regasm with Network Connection	Regsvcs/Regasm	TTP
Scheduled Task Initiation on Remote Endpoint	Scheduled Task	TTP
Rundll32 Control RunDLL Hunt	Rundll32	Hunting
Rundll32 Control RunDLL World Writable Directory	Rundll32	TTP
CMD Carry Out String Command Parameter	Windows Command Shell	Hunting
CertUtil With Decode Argument	Deobfuscate/Decode Files or Information	TTP
Schtasks scheduling job on remote system	Scheduled Task	TTP
Windows SSH Proxy Command	PowerShell, Ingress Tool Transfer, Protocol Tunneling	Anomaly
Windows Known Abused DLL Created	DLL	Anomaly
Creation of Shadow Copy with wmic and powershell	NTDS	TTP
Windows System Script Proxy Execution Syncappvpublishingserver	System Script Proxy Execution, System Binary Proxy Execution	TTP
Rundll32 DNSQuery	Rundll32	TTP
Rundll32 Shimcache Flush	Modify Registry	TTP
Windows Known Abused DLL Loaded Suspiciously	DLL	TTP
MacOS plutil	Plist File Modification	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 8	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4698	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Cisco Network Visibility Module Flow Data	Network	`cisco:nvm:flowdata`	`not_applicable`
Sysmon EventID 12	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 5145	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 3	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Osquery Results	Other	`osquery:results`	`osquery`
Sysmon for Linux EventID 1	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`
Sysmon EventID 7	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

https://lolbas-project.github.io/

Source: GitHub | Version: 3