Living Off The Land: Threat Research February 2022 Release

In this February 2022 release, the Splunk Threat Research Team (STRT) focused on comparing currently created living off the land security content with Sigma and the LOLBas project. This provided a way for STRT to review current security content and identify any gaps. With the identified LOLBins that we did not have coverage for, we assessed the in the wild usage today and prioritized those over older novel LOLBins.

Here is a demo of Living Off The Land content:

In February we tagged 73 detections some of them brand new, distributed in a single Analytics Story. We also tagged all prior content with Living Off the Land.

Focusing on Living Off The Land Binaries

Analytic stories are security use cases supported by our threat research team’s pre-built detections and responses. The following analytic stories focus on monitoring and investigating items that are related to Living Off The Land techniques. Living off the land plays an integral role in an adversaries playbook when landing in an environment. Instead of bringing in applications and new utilities, adversaries use utilities native to the operating system. This provides the adversary the ability to blend in better with native applications, providing flexibility in code execution and process behavior.

Detections Used in the Living Off The Land Analytic Stories

Living Off The Land Analytic Story

Automating with SOAR Playbooks

All of the previously listed detections create entries in the risk index by default, and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The following community Splunk SOAR playbooks below can also be used in conjunction with some of the previously described analytics:

Why Should You Care?

Living Off The Land binaries are nothing new, however they continue to be abused, as they provide expedite means of executing actions against compromised hosts without triggering protections (LOLBins are native to operating system or downloaded from Microsoft).

Many of these actions such as compiling or executing code, pass through execution, UAC bypass, file operations such as download, copy or upload among others can provide native tools for an attacker to operate through compromised hosts. It is important for analysts to have tools that provide them visibility and monitoring capabilities that can help address any possible threats from the abuse of living off the land binaries.

For a full list of security content, check out the release notes on Splunk Docs

• v3.35.0
• v3.36.0

Learn more

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the whole threat research team Jose Hernandez, Teoderick Contreras, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Lou Stella, Eric McGinnis, and Patrick Bareiss for their contribution to this release.