detection.wiki

Detection rules › Splunk

LOLBAS With Network Traffic

Author
Steven Dick
Source
upstream

The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.

MITRE ATT&CK coverage

TacticTechniques
Defense EvasionT1218 System Binary Proxy Execution
Command & ControlT1105 Ingress Tool Transfer
ExfiltrationT1567 Exfiltration Over Web Service

Event coverage

ProviderEvent IDTitle
Sysmon3Network connection

Stages and Predicates

Stage 1: tstats

tstats WHERE NOT All_Traffic.dest_ip IN ("10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.0.8/32", "192.0.0.9/32", "192.0.2.0/24", "192.168.0.0/16", "192.175.48.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4") All_Traffic.app IN ("*\\At.exe", "*\\Atbroker.exe", "*\\Bash.exe", "*\\Bitsadmin.exe", "*\\Certoc.exe", "*\\Cmstp.exe", "*\\Diskshadow.exe", "*\\Dnscmd.exe", "*\\Extexport.exe", "*\\Forfiles.exe", "*\\Ftp.exe", "*\\Gpscript.exe", "*\\Hh.exe", "*\\Ie4uinit.exe", "*\\Ieexec.exe", "*\\Infdefaultinstall.exe", "*\\Installutil.exe", "*\\Mavinject.exe", "*\\Microsoft.Workflow.Compiler.exe", "*\\Msbuild.exe", "*\\Msconfig.exe", "*\\Msdt.exe", "*\\Mshta.exe", "*\\Msiexec.exe", "*\\Netsh.exe", "*\\Odbcconf.exe", "*\\OfflineScannerShell.exe", "*\\Pcalua.exe", "*\\Pcwrun.exe", "*\\Pnputil.exe", "*\\Presentationhost.exe", "*\\Rasautou.exe", "*\\Regasm.exe", "*\\Register-cimprovider.exe", "*\\Regsvcs.exe", "*\\Regsvr32.exe", "*\\Runonce.exe", "*\\Runscripthelper.exe", "*\\Schtasks.exe", "*\\Scriptrunner.exe", "*\\SettingSyncHost.exe", "*\\Stordiag.exe", "*\\Syncappvpublishingserver.exe", "*\\Ttdinject.exe", "*\\Tttracer.exe", "*\\Verclsid.exe", "*\\Wab.exe", "*\\Wmic.exe", "*\\WorkFolders.exe", "*\\Wuauclt.exe", "*\\Xwizard.exe", "*\\certutil.exe", "*\\cmd.exe", "*\\cscript.exe", "*\\makecab.exe", "*\\notepad.exe", "*\\powershell.exe", "*\\powershell_ise.exe", "*\\pwsh.exe") BY All_Traffic.action, All_Traffic.app, All_Traffic.dest, All_Traffic.dest_ip, All_Traffic.dest_port, All_Traffic.direction, All_Traffic.dvc, All_Traffic.protocol, All_Traffic.protocol_version, All_Traffic.src, All_Traffic.src_ip, All_Traffic.src_port, All_Traffic.transport, All_Traffic.user, All_Traffic.vendor_product

Stage 2: search

search

Stage 3: search

search

Stage 4: search

search

Stage 5: rex

rex field=app ...

Stage 6: search

search `macro`

Exclusions

Top-level NOT(...) conjuncts — predicates this rule actively suppresses.

StageFieldKindExcluded values
1All_Traffic.dest_ipin"10.0.0.0/8", "100.64.0.0/10", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.0.8/32", "192.0.0.9/32", "192.0.2.0/24", "192.168.0.0/16", "192.175.48.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "224.0.0.0/4", "240.0.0.0/4"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
All_Traffic.appin
  • "*\\At.exe"
  • "*\\Atbroker.exe"
  • "*\\Bash.exe"
  • "*\\Bitsadmin.exe"
  • "*\\Certoc.exe"
  • "*\\Cmstp.exe"
  • "*\\Diskshadow.exe"
  • "*\\Dnscmd.exe"
  • "*\\Extexport.exe"
  • "*\\Forfiles.exe"
  • "*\\Ftp.exe"
  • "*\\Gpscript.exe"
  • "*\\Hh.exe"
  • "*\\Ie4uinit.exe"
  • "*\\Ieexec.exe"
  • "*\\Infdefaultinstall.exe"
  • "*\\Installutil.exe"
  • "*\\Mavinject.exe"
  • "*\\Microsoft.Workflow.Compiler.exe"
  • "*\\Msbuild.exe"
  • "*\\Msconfig.exe"
  • "*\\Msdt.exe"
  • "*\\Mshta.exe"
  • "*\\Msiexec.exe"
  • "*\\Netsh.exe"
  • "*\\Odbcconf.exe"
  • "*\\OfflineScannerShell.exe"
  • "*\\Pcalua.exe"
  • "*\\Pcwrun.exe"
  • "*\\Pnputil.exe"
  • "*\\Presentationhost.exe"
  • "*\\Rasautou.exe"
  • "*\\Regasm.exe"
  • "*\\Register-cimprovider.exe"
  • "*\\Regsvcs.exe"
  • "*\\Regsvr32.exe"
  • "*\\Runonce.exe"
  • "*\\Runscripthelper.exe"
  • "*\\Schtasks.exe"
  • "*\\Scriptrunner.exe"
  • "*\\SettingSyncHost.exe"
  • "*\\Stordiag.exe"
  • "*\\Syncappvpublishingserver.exe"
  • "*\\Ttdinject.exe"
  • "*\\Tttracer.exe"
  • "*\\Verclsid.exe"
  • "*\\Wab.exe"
  • "*\\Wmic.exe"
  • "*\\WorkFolders.exe"
  • "*\\Wuauclt.exe"
  • "*\\Xwizard.exe"
  • "*\\certutil.exe"
  • "*\\cmd.exe"
  • "*\\cscript.exe"
  • "*\\makecab.exe"
  • "*\\notepad.exe"
  • "*\\powershell.exe"
  • "*\\powershell_ise.exe"
  • "*\\pwsh.exe"