Detection rules › Splunk
Windows LOLBAS Executed Outside Expected Path
The following analytic identifies a LOLBAS process being executed outside of it's expected location. Processes being executed outside of expected locations may be an indicator that an adversary is attempting to evade defenses or execute malicious code. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1036.005 Masquerading: Match Legitimate Resource Name or Location, T1218.011 System Binary Proxy Execution: Rundll32 |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: tstats
tstats WHERE NOT Processes.process_path IN ("*:\\Windows\\SysWOW64\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\WinSxS\\*", "*\\PROGRA~*", "*\\Program Files \(x86\)\\", "*\\Program Files\\") BY Processes.action, Processes.dest, Processes.original_file_name, Processes.parent_process, Processes.parent_process_exec, Processes.parent_process_guid, Processes.parent_process_id, Processes.parent_process_name, Processes.parent_process_path, Processes.process, Processes.process_exec, Processes.process_guid, Processes.process_hash, Processes.process_id, Processes.process_integrity_level, Processes.process_name, Processes.process_path, Processes.user, Processes.user_id, Processes.vendor_product
Stage 2: search
search
Stage 3: lookup
lookup <lookup> desc, description, lolbas_file_name, process_name
Stage 4: lookup
lookup <lookup> description, is_lolbas_path, lolbas_file_name, lolbas_file_path, process_name, process_path
Stage 5: search
search desc!="false" is_lolbas_path="false"
Stage 6: search
search
Stage 7: search
search
Stage 8: search
search `macro`
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | Image | in | "*:\\Windows\\SysWOW64\\*", "*:\\Windows\\System32\\*", "*:\\Windows\\WinSxS\\*", "*\\PROGRA~*", "*\\Program Files \(x86\)\\", "*\\Program Files\\" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
desc | ne |
|
is_lolbas_path | eq |
|