Name:LOLBAS With Network Traffic id:2820f032-19eb-497e-8642-25b04a880359 version:5 date:2024-12-07 author:Steven Dick status:production type:TTP Description:The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security. Data_source:
how_to_implement:To successfully implement this detection you must ingest events into the Network traffic data model that contain the source, destination, and communicating process in the app field. Relevant processes must also be ingested in the Endpoint data model with matching process_id field. Sysmon EID1 and EID3 are good examples of this type this data type. known_false_positives:Legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. It may be necessary to omit internal IP ranges if extremely noisy. ie NOT dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","170.98.0.0/16","0:0:0:0:0:0:0:1") References: -https://lolbas-project.github.io/# -https://www.sans.org/presentations/lolbin-detection-methods-seven-common-attacks-revealed/ drilldown_searches: name:'View the detection results for - "$src$"' search:'%original_detection_search% | search src = "$src$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Living Off The Land' asset_type:Endpoint confidence:50 impact:50 message:The LOLBAS $process_name$ on device $src$ was seen communicating with $dest$. mitre_attack_id: - 'T1105' - 'T1567' - 'T1218' observable: name:'src' type:'Hostname' - role: - 'Victim' name:'dest' type:'Hostname' - role: - 'Attacker' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Processes.user' - 'Processes.process_id' - 'Processes.process_name' - 'Processes.process' - 'Processes.process_path' - 'Processes.dest' - 'Processes.parent_process_name' - 'Processes.parent_process' - 'Processes.process_guid' - 'All_Traffic.app' - 'All_Traffic.src' - 'All_Traffic.src_ip' - 'All_Traffic.dest' - 'All_Traffic.dest_ip' - 'All_Traffic.process_id' risk_score:25 security_domain:network
