Analytics Story: Living Off The Land

Date: 2022-03-16 ID: 6f7982e2-900b-11ec-a54a-acde48001122 Author: Lou Stella, Splunk Product: Splunk Enterprise Security

Description

Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.

Why it matters

Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.

Correlation Search

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Living Off The Land" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_detection_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Windows DLL Search Order Hijacking Hunt	DLL Search Order Hijacking	Hunting
BITS Job Persistence	BITS Jobs	TTP
BITSAdmin Download File	BITS Jobs, Ingress Tool Transfer	TTP
CertUtil Download With URLCache and Split Arguments	Ingress Tool Transfer	TTP
CertUtil Download With VerifyCtl and Split Arguments	Ingress Tool Transfer	TTP
Certutil exe certificate extraction	None	TTP
CertUtil With Decode Argument	Deobfuscate/Decode Files or Information	TTP
CMD Carry Out String Command Parameter	Windows Command Shell	Hunting
Control Loading from World Writable Directory	Control Panel	TTP
Creation of Shadow Copy with wmic and powershell	NTDS	TTP
Detect HTML Help Renamed	Compiled HTML File	Hunting
Detect HTML Help Spawn Child Process	Compiled HTML File	TTP
Detect HTML Help URL in Command Line	Compiled HTML File	TTP
Detect HTML Help Using InfoTech Storage Handlers	Compiled HTML File	TTP
Detect mshta inline hta execution	Mshta	TTP
Detect mshta renamed	Mshta	Hunting
Detect MSHTA Url in Command Line	Mshta	TTP
Detect Regasm Spawning a Process	Regsvcs/Regasm	TTP
Detect Regasm with Network Connection	Regsvcs/Regasm	TTP
Detect Regasm with no Command Line Arguments	Regsvcs/Regasm	TTP
Detect Regsvcs Spawning a Process	Regsvcs/Regasm	TTP
Detect Regsvcs with Network Connection	Regsvcs/Regasm	TTP
Detect Regsvcs with No Command Line Arguments	Regsvcs/Regasm	TTP
Detect Regsvr32 Application Control Bypass	Regsvr32	TTP
Detect Rundll32 Application Control Bypass - advpack	Rundll32	TTP
Detect Rundll32 Application Control Bypass - setupapi	Rundll32	TTP
Detect Rundll32 Application Control Bypass - syssetup	Rundll32	TTP
Detect Rundll32 Inline HTA Execution	Mshta	TTP
Disable Schedule Task	Disable or Modify Tools	TTP
Dump LSASS via comsvcs DLL	LSASS Memory	TTP
Esentutl SAM Copy	Security Account Manager	Hunting
Eventvwr UAC Bypass	Bypass User Account Control	TTP
LOLBAS With Network Traffic	Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution	TTP
MacOS LOLbin	Unix Shell	TTP
MacOS plutil	Plist File Modification	TTP
Mmc LOLBAS Execution Process Spawn	Distributed Component Object Model, MMC	TTP
Mshta spawning Rundll32 OR Regsvr32 Process	Mshta	TTP
Ntdsutil Export NTDS	NTDS	TTP
Reg exe Manipulating Windows Services Registry Keys	Services Registry Permissions Weakness	TTP
Regsvr32 Silent and Install Param Dll Loading	Regsvr32	Anomaly
Regsvr32 with Known Silent Switch Cmdline	Regsvr32	Anomaly
Remote WMI Command Attempt	Windows Management Instrumentation	TTP
Rundll32 Control RunDLL Hunt	Rundll32	Hunting
Rundll32 Control RunDLL World Writable Directory	Rundll32	TTP
Rundll32 Create Remote Thread To A Process	Process Injection	TTP
Rundll32 CreateRemoteThread In Browser	Process Injection	TTP
Rundll32 DNSQuery	Rundll32	TTP
Rundll32 Process Creating Exe Dll Files	Rundll32	TTP
Rundll32 Shimcache Flush	Modify Registry	TTP
RunDLL Loading DLL By Ordinal	Rundll32	TTP
Schedule Task with HTTP Command Arguments	Scheduled Task/Job	TTP
Schedule Task with Rundll32 Command Trigger	Scheduled Task/Job	TTP
Scheduled Task Creation on Remote Endpoint using At	At	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task	TTP
Scheduled Task Initiation on Remote Endpoint	Scheduled Task	TTP
Schtasks scheduling job on remote system	Scheduled Task	TTP
Services LOLBAS Execution Process Spawn	Windows Service	TTP
Suspicious IcedID Rundll32 Cmdline	Rundll32	TTP
Suspicious microsoft workflow compiler rename	Rename System Utilities, Trusted Developer Utilities Proxy Execution	Hunting
Suspicious microsoft workflow compiler usage	Trusted Developer Utilities Proxy Execution	TTP
Suspicious msbuild path	Rename System Utilities, MSBuild	TTP
Suspicious MSBuild Rename	Rename System Utilities, MSBuild	Hunting
Suspicious MSBuild Spawn	MSBuild	TTP
Suspicious mshta child process	Mshta	TTP
Suspicious mshta spawn	Mshta	TTP
Suspicious Regsvr32 Register Suspicious Path	Regsvr32	TTP
Suspicious Rundll32 dllregisterserver	Rundll32	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task	Anomaly
Svchost LOLBAS Execution Process Spawn	Scheduled Task	TTP
Windows Binary Proxy Execution Mavinject DLL Injection	Mavinject	TTP
Windows CertUtil Download With URL Argument	Ingress Tool Transfer	TTP
Windows COM Hijacking InprocServer32 Modification	Component Object Model Hijacking	TTP
Windows Diskshadow Proxy Execution	System Binary Proxy Execution	TTP
Windows DLL Search Order Hijacking Hunt with Sysmon	DLL Search Order Hijacking	Hunting
Windows DLL Search Order Hijacking with iscsicpl	DLL Search Order Hijacking	TTP
Windows Identify Protocol Handlers	Command and Scripting Interpreter	Hunting
Windows Indirect Command Execution Via forfiles	Indirect Command Execution	TTP
Windows Indirect Command Execution Via pcalua	Indirect Command Execution	TTP
Windows InstallUtil in Non Standard Path	Rename System Utilities, InstallUtil	TTP
Windows InstallUtil Remote Network Connection	InstallUtil	TTP
Windows InstallUtil Uninstall Option	InstallUtil	TTP
Windows InstallUtil Uninstall Option with Network	InstallUtil	TTP
Windows InstallUtil URL in Command Line	InstallUtil	TTP
Windows Known Abused DLL Created	DLL Search Order Hijacking, DLL Side-Loading	Anomaly
Windows Known Abused DLL Loaded Suspiciously	DLL Search Order Hijacking, DLL Side-Loading	TTP
Windows LOLBAS Executed As Renamed File	Rename System Utilities, Rundll32	TTP
Windows LOLBAS Executed Outside Expected Path	Match Legitimate Name or Location, Rundll32	TTP
Windows MOF Event Triggered Execution via WMI	Windows Management Instrumentation Event Subscription	TTP
Windows Odbcconf Hunting	Odbcconf	Hunting
Windows Odbcconf Load DLL	Odbcconf	TTP
Windows Odbcconf Load Response File	Odbcconf	TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile	Compiled HTML File	TTP
Windows System Script Proxy Execution Syncappvpublishingserver	System Script Proxy Execution, System Binary Proxy Execution	TTP
Windows UAC Bypass Suspicious Child Process	Bypass User Account Control	TTP
Windows UAC Bypass Suspicious Escalation Behavior	Bypass User Account Control	TTP
WSReset UAC Bypass	Bypass User Account Control	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 3	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 8	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4698	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
osquery	N/A	`osquery:results`	`osquery`

References

https://lolbas-project.github.io/

Source: GitHub | Version: 2