legitimate usage of internal automation or scripting, especially powershell.exe or pwsh.exe, internal to internal or logon scripts. it may be necessary to omit internal ip ranges if extremely noisy. ie not dest_ip in (\"10.0.0.0/8\",\"172.16.0.0/12\",\"192.168.0.0/16\",\"170.98.0.0/16\",\"0:0:0:0:0:0:0:1\")

Techniques

Sample rules

LOLBAS With Network Traffic

source: splunk
technicques:
- T1105
- T1567
- T1218

Description

The following analytic identifies the use of Living Off the Land Binaries and Scripts (LOLBAS) with network traffic. It leverages data from the Network Traffic data model to detect when native Windows binaries, often abused by adversaries, initiate network connections. This activity is significant as LOLBAS are frequently used to download malicious payloads, enabling lateral movement, command-and-control, or data exfiltration. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or maintain persistence within the environment, posing a severe threat to organizational security.

Detection logic


| tstats `security_content_summariesonly` 
  count min(_time) as firstTime 
        max(_time) as lastTime
from datamodel=Network_Traffic.All_Traffic where
All_Traffic.app IN (
    "*\\At.exe",
    "*\\Atbroker.exe",
    "*\\Bash.exe",
    "*\\Bitsadmin.exe",
    "*\\Certoc.exe",
    "*\\certutil.exe",
    "*\\cmd.exe",
    "*\\Cmstp.exe",
    "*\\cscript.exe",
    "*\\Diskshadow.exe",
    "*\\Dnscmd.exe",
    "*\\Extexport.exe",
    "*\\Forfiles.exe",
    "*\\Ftp.exe",
    "*\\Gpscript.exe",
    "*\\Hh.exe",
    "*\\Ie4uinit.exe",
    "*\\Ieexec.exe",
    "*\\Infdefaultinstall.exe",
    "*\\Installutil.exe",
    "*\\makecab.exe",
    "*\\Mavinject.exe",
    "*\\Microsoft.Workflow.Compiler.exe",
    "*\\Msbuild.exe",
    "*\\Msconfig.exe",
    "*\\Msdt.exe",
    "*\\Mshta.exe",
    "*\\Msiexec.exe",
    "*\\Netsh.exe",
    "*\\notepad.exe",
    "*\\Odbcconf.exe",
    "*\\OfflineScannerShell.exe",
    "*\\Pcalua.exe",
    "*\\Pcwrun.exe",
    "*\\Pnputil.exe",
    "*\\powershell_ise.exe",
    "*\\powershell.exe",
    "*\\Presentationhost.exe",
    "*\\pwsh.exe",
    "*\\Rasautou.exe",
    "*\\Regasm.exe",
    "*\\Register-cimprovider.exe",
    "*\\Regsvcs.exe",
    "*\\Regsvr32.exe",
    "*\\Runonce.exe",
    "*\\Runscripthelper.exe",
    "*\\Schtasks.exe",
    "*\\Scriptrunner.exe",
    "*\\SettingSyncHost.exe",
    "*\\Stordiag.exe",
    "*\\Syncappvpublishingserver.exe",
    "*\\Ttdinject.exe",
    "*\\Tttracer.exe",
    "*\\Verclsid.exe",
    "*\\Wab.exe",
    "*\\Wmic.exe",
    "*\\WorkFolders.exe",
    "*\\Wuauclt.exe",
    "*\\Xwizard.exe"
    )

NOT All_Traffic IN (
        "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
        "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
        "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
        "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
        "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4"
        )

by All_Traffic.action All_Traffic.app All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port 
   All_Traffic.direction All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version
   All_Traffic.src All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user 
   All_Traffic.vendor_product


| `drop_dm_object_name(All_Traffic)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| rex field=app ".*\\\(?<process_name>.*)$"

| `lolbas_with_network_traffic_filter`