/
svchost_lolbas_execution_process_spawn.yml
92 lines (92 loc) · 4.5 KB
/
svchost_lolbas_execution_process_spawn.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: Svchost LOLBAS Execution Process Spawn
id: 09e5c72a-4c0d-11ec-aa29-3e22fbd008af
version: 3
date: '2024-04-26'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic is designed to spot instances of 'svchost.exe'
initiating a Living Off The Land Binaries and Scripts (LOLBAS) execution process.
Often, adversaries manipulate Task Scheduler to execute code on remote endpoints,
resulting in the spawning of a malicious command as a child process of 'svchost.exe'.
By tracking child processes of 'svchost.exe' that align with the LOLBAS project,
potential lateral movement activity can be detected. The analytic examines process
details, including the process name, parent process, and command-line executions.
A comprehensive list of LOLBAS processes is included in the search parameters. Although
the analytic might catch legitimate applications exhibiting this behavior, these
instances should be filtered accordingly. The findings from this analytic offer
valuable insight into potentially malicious activities on an endpoint.
data_source:
- Sysmon EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe)
(Processes.process_name IN ("Regsvcs.exe", "Ftp.exe", "OfflineScannerShell.exe",
"Rasautou.exe", "Schtasks.exe", "Xwizard.exe", "Pnputil.exe", "Atbroker.exe", "Pcwrun.exe",
"Ttdinject.exe","Mshta.exe", "Bitsadmin.exe", "Certoc.exe", "Ieexec.exe", "Microsoft.Workflow.Compiler.exe",
"Runscripthelper.exe", "Forfiles.exe", "Msbuild.exe", "Register-cimprovider.exe",
"Tttracer.exe", "Ie4uinit.exe", "Bash.exe", "Hh.exe", "SettingSyncHost.exe", "Cmstp.exe",
"Stordiag.exe", "Scriptrunner.exe", "Odbcconf.exe", "Extexport.exe", "Msdt.exe",
"WorkFolders.exe", "Diskshadow.exe", "Mavinject.exe", "Regasm.exe", "Gpscript.exe",
"Regsvr32.exe", "Msiexec.exe", "Wuauclt.exe", "Presentationhost.exe", "Wmic.exe",
"Runonce.exe", "Syncappvpublishingserver.exe", "Verclsid.exe", "Infdefaultinstall.exe",
"Installutil.exe", "Netsh.exe", "Wab.exe", "Dnscmd.exe", "At.exe", "Pcalua.exe",
"Msconfig.exe")) by Processes.dest Processes.user Processes.parent_process Processes.process_name
Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `svchost_lolbas_execution_process_spawn_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: Legitimate applications may trigger this behavior, filter as
needed.
references:
- https://attack.mitre.org/techniques/T1053/005/
- https://www.ired.team/offensive-security/persistence/t1053-schtask
- https://lolbas-project.github.io/
tags:
analytic_story:
- Active Directory Lateral Movement
- Living Off The Land
- Scheduled Tasks
asset_type: Endpoint
confidence: 60
impact: 90
message: Svchost.exe spawned a LOLBAS process on $dest$
mitre_attack_id:
- T1053
- T1053.005
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.original_file_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_path
- Processes.process_path
- Processes.parent_process_id
risk_score: 54
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/svchost_lolbas_execution_process_spawn/windows-xml.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog