SECURITY

Living Off The Land: Threat Research February 2022 Release

By Splunk Threat Research Team March 31, 2022

In this February 2022 release, the Splunk Threat Research Team (STRT) focused on comparing currently created living off the land security content with Sigma and the LOLBas project. This provided a way for STRT to review current security content and identify any gaps. With the identified LOLBins that we did not have coverage for, we assessed the in the wild usage today and prioritized those over older novel LOLBins.

Here is a demo of Living Off The Land content:

In February we tagged 73 detections some of them brand new, distributed in a single Analytics Story. We also tagged all prior content with Living Off the Land.

Focusing on Living Off The Land Binaries

Analytic stories are security use cases supported by our threat research team’s pre-built detections and responses. The following analytic stories focus on monitoring and investigating items that are related to Living Off The Land techniques. Living off the land plays an integral role in an adversaries playbook when landing in an environment. Instead of bringing in applications and new utilities, adversaries use utilities native to the operating system. This provides the adversary the ability to blend in better with native applications, providing flexibility in code execution and process behavior.

Detections Used in the Living Off The Land Analytic Stories

Living Off The Land Analytic Story

Name	Technique	Type
BITS Job Persistence	BITS Jobs	TTP
BITSAdmin Download File	BITS Jobs, Ingress Tool Transfer	TTP
CertUtil Download With URLCache and Split Arguments	Ingress Tool Transfer	TTP
CertUtil Download With VerifyCtl and Split Arguments	Ingress Tool Transfer	TTP
Certutil exe certificate extraction	None	TTP
CertUtil With Decode Argument	Deobfuscate/Decode Files or Information	TTP
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
Control Loading from World Writable Directory	Signed Binary Proxy Execution, Control Panel	TTP
Creation of Shadow Copy with wmic and powershell	NTDS, OS Credential Dumping	TTP
Detect HTML Help Renamed	Signed Binary Proxy Execution, Compiled HTML File	Hunting
Detect HTML Help Spawn Child Process	Signed Binary Proxy Execution, Compiled HTML File	TTP
Detect HTML Help URL in Command Line	Signed Binary Proxy Execution, Compiled HTML File	TTP
Detect HTML Help Using InfoTech Storage Handlers	Signed Binary Proxy Execution, Compiled HTML File	TTP
Detect mshta inline hta execution	Signed Binary Proxy Execution, Mshta	TTP
Detect mshta renamed	Signed Binary Proxy Execution, Mshta	Hunting
Detect MSHTA Url in Command Line	Signed Binary Proxy Execution, Mshta	TTP
Detect Regasm Spawning a Process	Signed Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regasm with Network Connection	Signed Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regasm with no Command Line Arguments	Signed Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvcs Spawning a Process	Signed Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvcs with Network Connection	Signed Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvcs with No Command Line Arguments	Signed Binary Proxy Execution, Regsvcs/Regasm	TTP
Detect Regsvr32 Application Control Bypass	Signed Binary Proxy Execution, Regsvr32	TTP
Detect Rundll32 Application Control Bypass - advpack	Signed Binary Proxy Execution, Rundll32	TTP
Detect Rundll32 Application Control Bypass - setupapi	Signed Binary Proxy Execution, Rundll32	TTP
Detect Rundll32 Application Control Bypass - syssetup	Signed Binary Proxy Execution, Rundll32	TTP
Detect Rundll32 Inline HTA Execution	Signed Binary Proxy Execution, Mshta	TTP
Disable Schedule Task	Disable or Modify Tools, Impair Defenses	TTP
Dump LSASS via comsvcs DLL	LSASS Memory, OS Credential Dumping	TTP
Esentutl SAM Copy	Security Account Manager, OS Credential Dumping	Hunting
Eventvwr UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
MacOS LOLbin	Unix Shell, Command and Scripting Interpreter	TTP
Mmc LOLBAS Execution Process Spawn	Remote Services, Distributed Component Object Model	TTP
Mshta spawning Rundll32 OR Regsvr32 Process	Signed Binary Proxy Execution, Mshta	TTP
Ntdsutil Export NTDS	NTDS, OS Credential Dumping	TTP
Reg exe Manipulating Windows Services Registry Keys	Services Registry Permissions Weakness, Hijack Execution Flow	TTP
Regsvr32 Silent and Install Param Dll Loading	Signed Binary Proxy Execution, Regsvr32	Anomaly
Regsvr32 with Known Silent Switch Cmdline	Signed Binary Proxy Execution, Regsvr32	Anomaly
Remote WMI Command Attempt	Windows Management Instrumentation	TTP
Rundll32 Control RunDLL Hunt	Signed Binary Proxy Execution, Rundll32	Hunting
Rundll32 Control RunDLL World Writable Directory	Signed Binary Proxy Execution, Rundll32	TTP
Rundll32 Create Remote Thread To A Process	Process Injection	TTP
Rundll32 CreateRemoteThread In Browser	Process Injection	TTP
Rundll32 DNSQuery	Signed Binary Proxy Execution, Rundll32	TTP
Rundll32 Process Creating Exe Dll Files	Signed Binary Proxy Execution, Rundll32	TTP
Rundll32 Shimcache Flush	Modify Registry	TTP
RunDLL Loading DLL By Ordinal	Signed Binary Proxy Execution, Rundll32	TTP
Schedule Task with HTTP Command Arguments	Scheduled Task/Job	TTP
Schedule Task with Rundll32 Command Trigger	Scheduled Task/Job	TTP
Scheduled Task Creation on Remote Endpoint using At	Scheduled Task/Job, At (Windows)	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Scheduled Task Initiation on Remote Endpoint	Scheduled Task/Job, Scheduled Task	TTP
Schtasks scheduling job on remote system	Scheduled Task, Scheduled Task/Job	TTP
Services LOLBAS Execution Process Spawn	Create or Modify System Process, Windows Service	TTP
Suspicious IcedID Rundll32 Cmdline	Signed Binary Proxy Execution, Rundll32	TTP
Suspicious microsoft workflow compiler rename	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities	Hunting
Suspicious microsoft workflow compiler usage	Trusted Developer Utilities Proxy Execution	TTP
Suspicious msbuild path	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild	TTP
Suspicious MSBuild Rename	Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild	TTP
Suspicious MSBuild Spawn	Trusted Developer Utilities Proxy Execution, MSBuild	TTP
Suspicious mshta child process	Signed Binary Proxy Execution, Mshta	TTP
Suspicious mshta spawn	Signed Binary Proxy Execution, Mshta	TTP
Suspicious Regsvr32 Register Suspicious Path	Signed Binary Proxy Execution, Regsvr32	TTP
Suspicious Rundll32 dllregisterserver	Signed Binary Proxy Execution, Rundll32	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task, Scheduled Task/Job	Anomaly
Svchost LOLBAS Execution Process Spawn	Scheduled Task/Job, Scheduled Task	TTP
Windows Diskshadow Proxy Execution	Signed Binary Proxy Execution	TTP
Windows InstallUtil in Non Standard Path	Masquerading, Rename System Utilities, Signed Binary Proxy Execution, InstallUtil	TTP
Windows InstallUtil Remote Network Connection	InstallUtil, Signed Binary Proxy Execution	TTP
Windows InstallUtil Uninstall Option	InstallUtil, Signed Binary Proxy Execution	TTP
Windows InstallUtil Uninstall Option with Network	InstallUtil, Signed Binary Proxy Execution	TTP
Windows InstallUtil URL in Command Line	InstallUtil, Signed Binary Proxy Execution	TTP
WSReset UAC Bypass	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP

Automating with SOAR Playbooks

All of the previously listed detections create entries in the risk index by default, and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The following community Splunk SOAR playbooks below can also be used in conjunction with some of the previously described analytics:

Playbook	Description
Internal Host SSH Investigate	Investigate an internal *nix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.
Internal Host WinRM Investigate	Performs a general investigation on key aspects of a windows device using windows remote management. Important files related to the endpoint are generated, bundled into a zip, and copied to the container vault.
Delete Detected Files	This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a “more” command on the file in question to extract its contents. We then run a delete on the file in question.

Why Should You Care?

Living Off The Land binaries are nothing new, however they continue to be abused, as they provide expedite means of executing actions against compromised hosts without triggering protections (LOLBins are native to operating system or downloaded from Microsoft).

Many of these actions such as compiling or executing code, pass through execution, UAC bypass, file operations such as download, copy or upload among others can provide native tools for an attacker to operate through compromised hosts. It is important for analysts to have tools that provide them visibility and monitoring capabilities that can help address any possible threats from the abuse of living off the land binaries.

For a full list of security content, check out the release notes on Splunk Docs

Learn more

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub, and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the whole threat research team Jose Hernandez, Teoderick Contreras, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Lou Stella, Eric McGinnis, and Patrick Bareiss for their contribution to this release.

Posted by

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.