Analytics Story: Living Off The Land

Description

Leverage analytics that allow you to identify the presence of an adversary leveraging native applications within your environment.

Why it matters

Living Off The Land refers to an adversary methodology of using native applications already installed on the target operating system to achieve their objective. Native utilities provide the adversary with reduced chances of detection by antivirus software or EDR tools. This allows the adversary to blend in with native process behavior.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Living Off The Land" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 5 | `living_off_the_land_detection_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows DLL Search Order Hijacking Hunt DLL Search Order Hijacking, Hijack Execution Flow Hunting
BITS Job Persistence BITS Jobs TTP
BITSAdmin Download File BITS Jobs, Ingress Tool Transfer TTP
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
CertUtil Download With VerifyCtl and Split Arguments Ingress Tool Transfer TTP
Certutil exe certificate extraction None TTP
CertUtil With Decode Argument Deobfuscate/Decode Files or Information TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Control Loading from World Writable Directory System Binary Proxy Execution, Control Panel TTP
Creation of Shadow Copy with wmic and powershell NTDS, OS Credential Dumping TTP
Detect HTML Help Renamed System Binary Proxy Execution, Compiled HTML File Hunting
Detect HTML Help Spawn Child Process System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help URL in Command Line System Binary Proxy Execution, Compiled HTML File TTP
Detect HTML Help Using InfoTech Storage Handlers System Binary Proxy Execution, Compiled HTML File TTP
Detect mshta inline hta execution System Binary Proxy Execution, Mshta TTP
Detect mshta renamed System Binary Proxy Execution, Mshta Hunting
Detect MSHTA Url in Command Line System Binary Proxy Execution, Mshta TTP
Detect Regasm Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regasm with no Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs Spawning a Process System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with Network Connection System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvcs with No Command Line Arguments System Binary Proxy Execution, Regsvcs/Regasm TTP
Detect Regsvr32 Application Control Bypass System Binary Proxy Execution, Regsvr32 TTP
Detect Rundll32 Application Control Bypass - advpack System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - setupapi System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Application Control Bypass - syssetup System Binary Proxy Execution, Rundll32 TTP
Detect Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP
Disable Schedule Task Disable or Modify Tools, Impair Defenses TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Esentutl SAM Copy Security Account Manager, OS Credential Dumping Hunting
Eventvwr UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution TTP
MacOS LOLbin Unix Shell, Command and Scripting Interpreter TTP
MacOS plutil Plist File Modification TTP
Mmc LOLBAS Execution Process Spawn Remote Services, Distributed Component Object Model, MMC TTP
Mshta spawning Rundll32 OR Regsvr32 Process System Binary Proxy Execution, Mshta TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow TTP
Regsvr32 Silent and Install Param Dll Loading System Binary Proxy Execution, Regsvr32 Anomaly
Regsvr32 with Known Silent Switch Cmdline System Binary Proxy Execution, Regsvr32 Anomaly
Remote WMI Command Attempt Windows Management Instrumentation TTP
Rundll32 Control RunDLL Hunt System Binary Proxy Execution, Rundll32 Hunting
Rundll32 Control RunDLL World Writable Directory System Binary Proxy Execution, Rundll32 TTP
Rundll32 Create Remote Thread To A Process Process Injection TTP
Rundll32 CreateRemoteThread In Browser Process Injection TTP
Rundll32 DNSQuery System Binary Proxy Execution, Rundll32 TTP
Rundll32 Process Creating Exe Dll Files System Binary Proxy Execution, Rundll32 TTP
Rundll32 Shimcache Flush Modify Registry TTP
RunDLL Loading DLL By Ordinal System Binary Proxy Execution, Rundll32 TTP
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Creation on Remote Endpoint using At Scheduled Task/Job, At TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Scheduled Task Initiation on Remote Endpoint Scheduled Task/Job, Scheduled Task TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service TTP
Suspicious IcedID Rundll32 Cmdline System Binary Proxy Execution, Rundll32 TTP
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious microsoft workflow compiler usage Trusted Developer Utilities Proxy Execution TTP
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Hunting
Suspicious MSBuild Spawn Trusted Developer Utilities Proxy Execution, MSBuild TTP
Suspicious mshta child process System Binary Proxy Execution, Mshta TTP
Suspicious mshta spawn System Binary Proxy Execution, Mshta TTP
Suspicious Regsvr32 Register Suspicious Path System Binary Proxy Execution, Regsvr32 TTP
Suspicious Rundll32 dllregisterserver System Binary Proxy Execution, Rundll32 TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Svchost LOLBAS Execution Process Spawn Scheduled Task/Job, Scheduled Task TTP
Windows Binary Proxy Execution Mavinject DLL Injection Mavinject, System Binary Proxy Execution TTP
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking, Event Triggered Execution TTP
Windows Diskshadow Proxy Execution System Binary Proxy Execution TTP
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Search Order Hijacking, Hijack Execution Flow Hunting
Windows DLL Search Order Hijacking with iscsicpl DLL Search Order Hijacking TTP
Windows Identify Protocol Handlers Command and Scripting Interpreter Hunting
Windows Indirect Command Execution Via forfiles Indirect Command Execution TTP
Windows Indirect Command Execution Via pcalua Indirect Command Execution TTP
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows InstallUtil Remote Network Connection InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil Uninstall Option with Network InstallUtil, System Binary Proxy Execution TTP
Windows InstallUtil URL in Command Line InstallUtil, System Binary Proxy Execution TTP
Windows Known Abused DLL Created DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow Anomaly
Windows Known Abused DLL Loaded Suspiciously DLL Search Order Hijacking, DLL Side-Loading, Hijack Execution Flow TTP
Windows LOLBAS Executed As Renamed File Masquerading, Rename System Utilities, Rundll32 TTP
Windows LOLBAS Executed Outside Expected Path Masquerading, Match Legitimate Name or Location, Rundll32 TTP
Windows MOF Event Triggered Execution via WMI Windows Management Instrumentation Event Subscription TTP
Windows Odbcconf Hunting Odbcconf Hunting
Windows Odbcconf Load DLL Odbcconf TTP
Windows Odbcconf Load Response File Odbcconf TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File, System Binary Proxy Execution TTP
Windows System Script Proxy Execution Syncappvpublishingserver System Script Proxy Execution, System Binary Proxy Execution TTP
Windows UAC Bypass Suspicious Child Process Abuse Elevation Control Mechanism, Bypass User Account Control TTP
Windows UAC Bypass Suspicious Escalation Behavior Abuse Elevation Control Mechanism, Bypass User Account Control TTP
WSReset UAC Bypass Bypass User Account Control, Abuse Elevation Control Mechanism TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
osquery N/A osquery:results osquery

References


Source: GitHub | Version: 2