LOLBAS With Network Traffic

Try in Splunk Security Cloud

Description

The following analytic identifies LOLBAS with network traffic. When adversaries abuse LOLBAS they are often used to download malicious code or executables. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like downloading malicious code. Looking for these process can help defenders identify lateral movement, command-and-control, or exfiltration activies.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Network_Traffic, Endpoint
• Last Updated: 2021-12-09
• Author: Steven Dick
• ID: 2820f032-19eb-497e-8642-25b04a880359

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1105	Ingress Tool Transfer	Command And Control

T1567

Exfiltration Over Web Service

Exfiltration

T1218

System Binary Proxy Execution

Defense Evasion

Kill Chain Phase

• Exploitation
• Command & Control
• Actions on Objectives

NIST

• DE.AE
• DE.CM

CIS20

• CIS 4
• CIS 6

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where (All_Traffic.app IN ("*Regsvcs.exe", "*\\Ftp.exe", "*OfflineScannerShell.exe", "*Rasautou.exe", "*Schtasks.exe", "*Xwizard.exe", "*Pnputil.exe", "*Atbroker.exe", "*Pcwrun.exe", "*Ttdinject.exe", "*Mshta.exe", "*Bitsadmin.exe", "*Certoc.exe", "*Ieexec.exe", "*Microsoft.Workflow.Compiler.exe", "*Runscripthelper.exe", "*Forfiles.exe", "*Msbuild.exe", "*Register-cimprovider.exe", "*Tttracer.exe", "*Ie4uinit.exe", "*Bash.exe", "*Hh.exe", "*SettingSyncHost.exe", "*Cmstp.exe", "*Stordiag.exe", "*Scriptrunner.exe", "*Odbcconf.exe", "*Extexport.exe", "*Msdt.exe", "*WorkFolders.exe", "*Diskshadow.exe", "*Mavinject.exe", "*Regasm.exe", "*Gpscript.exe", "*Regsvr32.exe", "*Msiexec.exe", "*Wuauclt.exe", "*Presentationhost.exe", "*Wmic.exe", "*Runonce.exe", "*Syncappvpublishingserver.exe", "*Verclsid.exe", "*Infdefaultinstall.exe", "*Installutil.exe", "*Netsh.exe", "*Wab.exe", "*Dnscmd.exe", "*\\At.exe", "*Pcalua.exe", "*Msconfig.exe", "*makecab.exe", "*cscript.exe", "*notepad.exe", "*\\cmd.exe", "*certutil.exe", "*\\powershell.exe", "*powershell_ise.exe")) by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip 
| `drop_dm_object_name(All_Traffic)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rex field=app ".*\\\(?<process_name>.*)$" 
| rename app as process 
| `lolbas_with_network_traffic_filter`

Macros

The SPL above uses the following Macros:

• security_content_summariesonly
• security_content_ctime

lolbas_with_network_traffic_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Processes.user
• Processes.process_id
• Processes.process_name
• Processes.process
• Processes.process_path
• Processes.dest
• Processes.parent_process_name
• Processes.parent_process
• Processes.process_guid
• All_Traffic.app
• All_Traffic.src
• All_Traffic.src_ip
• All_Traffic.dest
• All_Traffic.dest_ip
• All_Traffic.process_id

How To Implement

To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app feild. Relevant processes must also be ingested in the Endpoint data model with matching process_id feild. Sysmon EID1 and EID3 are good examples of this type this data type.

Known False Positives

Legitmate usage of internal automation or scripting, espically powershell.exe internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1")

Associated Analytic Story

• Living Off The Land

RBA

Risk Score	Impact	Confidence	Message
25.0	50	50	The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://lolbas-project.github.io/#
• https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/lolbas_with_network_traffic/lolbas_with_network_traffic.log

source | version: 1