Try in Splunk Security Cloud

Description

Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-03-16
  • Author: Lou Stella, Splunk
  • ID: 6f7982e2-900b-11ec-a54a-acde48001122

Narrative

Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.

Detections

Name Technique Type
BITS Job Persistence BITS Jobs TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
Certutil exe certificate extraction None TTP
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Control Loading from World Writable Directory Signed Binary Proxy Execution, Control Panel TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Detect HTML Help Renamed Signed Binary Proxy Execution, Compiled HTML File Hunting
Detect HTML Help Spawn Child Process Signed Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help URL in Command Line Signed Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help Using InfoTech Storage Handlers Signed Binary Proxy Execution, Compiled HTML File TTP
Detect mshta inline hta execution Signed Binary Proxy Execution, Mshta TTP
Detect mshta renamed Signed Binary Proxy Execution, Mshta Hunting
Detect MSHTA Url in Command Line Signed Binary Proxy Execution, Mshta TTP
Detect Regasm Spawning a Process Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with Network Connection Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs Spawning a Process Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with Network Connection Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with No Command Line Arguments Signed Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvr32 Application Control Bypass Signed Binary Proxy Execution, Regsvr32 TTP
Detect Rundll32 Application Control Bypass - advpack Signed Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - setupapi Signed Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - syssetup Signed Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Inline HTA Execution Signed Binary Proxy Execution, Mshta TTP
Disable Schedule Task Disable or Modify Tools, Impair Defenses TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
MacOS LOLbin Unix Shell, Command and Scripting Interpreter TTP
MacOS plutil Plist Modification TTP
Mmc LOLBAS Execution Process Spawn Remote Services, Distributed Component Object Model TTP
Mshta spawning Rundll32 OR Regsvr32 Process Signed Binary Proxy Execution, Mshta TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow TTP
Regsvr32 Silent and Install Param Dll Loading Signed Binary Proxy Execution, Regsvr32 Anomaly
Regsvr32 with Known Silent Switch Cmdline Signed Binary Proxy Execution, Regsvr32 Anomaly
Remote WMI Command Attempt Windows Management Instrumentation TTP
Rundll32 Control RunDLL Hunt Signed Binary Proxy Execution, Rundll32 Hunting
Rundll32 Control RunDLL World Writable Directory Signed Binary Proxy Execution, Rundll32 TTP
Rundll32 Create Remote Thread To A Process Process Injection TTP
Rundll32 CreateRemoteThread In Browser Process Injection TTP
Rundll32 DNSQuery Signed Binary Proxy Execution, Rundll32 TTP
Rundll32 Process Creating Exe Dll Files Signed Binary Proxy Execution, Rundll32 TTP
Rundll32 Shimcache Flush Modify Registry TTP
RunDLL Loading DLL By Ordinal Signed Binary Proxy Execution, Rundll32 TTP
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Creation on Remote Endpoint using At Scheduled Task/Job, At (Windows) TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Scheduled Task Initiation on Remote Endpoint Scheduled Task/Job, Scheduled Task TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service TTP
Suspicious IcedID Rundll32 Cmdline Signed Binary Proxy Execution, Rundll32 TTP
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious microsoft workflow compiler usage Trusted Developer Utilities Proxy Execution TTP
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Hunting
Suspicious MSBuild Spawn Trusted Developer Utilities Proxy Execution, MSBuild TTP
Suspicious mshta child process Signed Binary Proxy Execution, Mshta TTP
Suspicious mshta spawn Signed Binary Proxy Execution, Mshta TTP
Suspicious Regsvr32 Register Suspicious Path Signed Binary Proxy Execution, Regsvr32 TTP
Suspicious Rundll32 dllregisterserver Signed Binary Proxy Execution, Rundll32 TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Svchost LOLBAS Execution Process Spawn Scheduled Task/Job, Scheduled Task TTP
Windows Diskshadow Proxy Execution Signed Binary Proxy Execution TTP
Windows Indirect Command Execution Via forfiles Indirect Command Execution TTP
Windows Indirect Command Execution Via pcalua Indirect Command Execution TTP
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, Signed Binary Proxy Execution, InstallUtil TTP
Windows InstallUtil Remote Network Connection InstallUtil, Signed Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option InstallUtil, Signed Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option with Network InstallUtil, Signed Binary Proxy Execution TTP
Windows InstallUtil URL in Command Line InstallUtil, Signed Binary Proxy Execution TTP
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP

Reference

source | version: 2