/
living_off_the_land_detection.yml
71 lines (71 loc) · 3.04 KB
/
living_off_the_land_detection.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Living Off The Land Detection
id: 1be30d80-3a39-4df9-9102-64a467b24abc
version: 2
date: '2022-09-09'
author: Michael Haag, Splunk
status: production
type: Correlation
description: The following correlation identifies a distinct amount of analytics associated
with the Living Off The Land analytic story that identify potentially suspicious
behavior.
data_source: []
search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score)
as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as
annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id)
as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id)
as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id)
as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source,
dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Living
Off The Land" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type
All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where
source_count >= 5 | `living_off_the_land_filter`'
how_to_implement: To implement this correlation search a user needs to enable all
detections in the Living Off The Land Analytic Story and confirm it is generating
risk events. A simple search `index=risk analyticstories="Living Off The Land"`
should contain events.
known_false_positives: There are no known false positive for this search, but it could
contain false positives as multiple detections can trigger and not have successful
exploitation. Modify the static value distinct_detection_name to a higher value.
It is also required to tune analytics that are also tagged to ensure volume is never
too much.
references:
- https://www.splunk.com/en_us/blog/security/living-off-the-land-threat-research-february-2022-release.html
- https://research.splunk.com/stories/living_off_the_land/
tags:
analytic_story:
- Living Off The Land
asset_type: Endpoint
confidence: 70
impact: 90
message: An increase of Living Off The Land behavior has been detected on $risk_object$
mitre_attack_id:
- T1105
- T1190
- T1059
- T1133
observable:
- name: risk_object
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- All_Risk.analyticstories
- All_Risk.risk_object_type
- All_Risk.risk_object
- All_Risk.annotations.mitre_attack.mitre_tactic
- source
risk_score: 63
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/lolbinrisk.log
source: lotl
sourcetype: stash