-
Notifications
You must be signed in to change notification settings - Fork 374
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #3005 from nterl0k/nterl0k-t1036-lolbash-your-face
Nterl0k - T1036 LOLBASh Your Face
- Loading branch information
Showing
5 changed files
with
617 additions
and
483 deletions.
There are no files selected for viewing
68 changes: 68 additions & 0 deletions
68
detections/endpoint/windows_lolbas_executed_as_renamed_file.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,68 @@ | ||
| name: Windows LOLBAS Executed As Renamed File | ||
| id: fd496996-7d9e-4894-8d40-bb85b6192dc6 | ||
| version: 1 | ||
| date: '2024-04-30' | ||
| author: Steven Dick | ||
| status: production | ||
| type: TTP | ||
| description: The following analytic identifies a LOLBAS process being executed where it's process name does not match it's original file name attribute. Processes that have been renamed and executed may be an indicator that an adversary is attempting to evade defenses or execute malicious code. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. | ||
| data_source: | ||
| - Sysmon EID 1 | ||
| search: '| tstats `security_content_summariesonly` latest(Processes.parent_process) as parent_process, latest(Processes.process) as process, latest(Processes.process_guid) as process_guid count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where NOT Processes.original_file_name IN("-","unknown") AND NOT Processes.process_path IN ("*\\Program Files*","*\\PROGRA~*","*\\Windows\\System32\\*","*\\Windows\\Syswow64\\*") BY Processes.user Processes.dest Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process_path | ||
| |`drop_dm_object_name(Processes)` | ||
| | where NOT match(process_name, "(?i)".original_file_name) | ||
| | lookup lolbas_file_path lolbas_file_name as original_file_name OUTPUT description as desc | ||
| | search desc!="false" | ||
| | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)` | ||
| | `windows_lolbas_executed_as_renamed_file_filter`' | ||
| how_to_implement: To implement this search, you must ingest logs that contain the process name and process original file name, such as with Sysmon EID 1. | ||
| known_false_positives: A certain amount of false positives are likely with this detection. MSI based installers often trigger for SETUPAPL.dll and vendors will often copy system exectables to a different path for application usage. | ||
| references: | ||
| - https://attack.mitre.org/techniques/T1036/ | ||
| - https://attack.mitre.org/techniques/T1036/003/ | ||
| tags: | ||
| analytic_story: | ||
| - Living Off The Land | ||
| - Masquerading - Rename System Utilities | ||
| - Windows Defense Evasion Tactics | ||
| asset_type: Endpoint | ||
| confidence: 50 | ||
| impact: 80 | ||
| message: The file originally named $original_file_name$ was executed as $process_name$ on $dest$ | ||
| mitre_attack_id: | ||
| - T1036 | ||
| - T1036.003 | ||
| - T1218.011 | ||
| observable: | ||
| - name: dest | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| - name: process_name | ||
| type: Process Name | ||
| role: | ||
| - Attacker | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - Processes.user | ||
| - Processes.dest | ||
| - Processes.parent_process_name | ||
| - Processes.process_name | ||
| - Processes.original_file_name | ||
| - Processes.process_path | ||
| risk_score: 40 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: xmlwineventlog |
69 changes: 69 additions & 0 deletions
69
detections/endpoint/windows_lolbas_executed_outside_expected_path.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| name: Windows LOLBAS Executed Outside Expected Path | ||
| id: 326fdf44-b90c-4d2e-adca-1fd140b10536 | ||
| version: 1 | ||
| date: '2024-04-29' | ||
| author: Steven Dick | ||
| status: production | ||
| type: TTP | ||
| description: The following analytic identifies a LOLBAS process being executed outside of it's expected location. Processes being executed outside of expected locations may be an indicator that an adversary is attempting to evade defenses or execute malicious code. The LOLBAS project documents Windows native binaries that can be abused by threat actors to perform tasks like executing malicious code. | ||
| data_source: | ||
| - Sysmon EID 1 | ||
| - Windows Security EID 4688 | ||
| search: '| tstats `security_content_summariesonly` latest(Processes.parent_process) as parent_process, latest(Processes.process) as process, latest(Processes.process_guid) as process_guid count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process != "unknown" AND NOT Processes.process_path IN ("*\\Program Files*","*\\PROGRA~*","*\\Windows\\System32\\*","*\\Windows\\Syswow64\\*") BY Processes.user Processes.dest Processes.parent_process_name Processes.process_name Processes.process_path | ||
| |`drop_dm_object_name(Processes)` | ||
| | lookup lolbas_file_path lolbas_file_name as process_name OUTPUT description as desc | ||
| | lookup lolbas_file_path lolbas_file_name as process_name lolbas_file_path as process_path OUTPUT description as is_lolbas_path | ||
| | search desc!="false" AND is_lolbas_path="false" | ||
| | `security_content_ctime(firstTime)` | ||
| | `security_content_ctime(lastTime)` | ||
| | `windows_lolbas_executed_outside_expected_path_filter`' | ||
| how_to_implement: To implement this search, you must ingest logs that contain the process name and process path, such as with Sysmon EID 1. | ||
| known_false_positives: Vendors will often copy system exectables to a different path for application usage. | ||
| references: | ||
| - https://attack.mitre.org/techniques/T1036/ | ||
| - https://attack.mitre.org/techniques/T1036/005/ | ||
| tags: | ||
| analytic_story: | ||
| - Living Off The Land | ||
| - Masquerading - Rename System Utilities | ||
| - Windows Defense Evasion Tactics | ||
| asset_type: Endpoint | ||
| confidence: 50 | ||
| impact: 80 | ||
| message: The user $user$ executed a LOLBAS [$process_name$] from an unexpected location on $dest$ | ||
| mitre_attack_id: | ||
| - T1036 | ||
| - T1036.005 | ||
| - T1218.011 | ||
| observable: | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| - name: dest | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| - name: process_name | ||
| type: Process Name | ||
| role: | ||
| - Attacker | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| required_fields: | ||
| - Processes.user | ||
| - Processes.dest | ||
| - Processes.parent_process_name | ||
| - Processes.process_name | ||
| - Processes.original_file_name | ||
| - Processes.process_path | ||
| risk_score: 40 | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1036/cmd_lolbas_usage/cmd_lolbas_usage.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: xmlwineventlog |
Oops, something went wrong.