IPv4 command detected in lolbin execution
LOL Bin Remote IP Command Line
Query
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
let LOLBins = dynamic(["AppInstaller.exe", "cmd.exe", "Aspnet_Compiler.exe", "At.exe", "Atbroker.exe", "Bash.exe", "Bitsadmin.exe", "CertOC.exe", "CertReq.exe", "Certutil.exe", "Cmdkey.exe", "cmdl32.exe", "Cmstp.exe", "ConfigSecurityPolicy.exe", "Conhost.exe", "Control.exe", "Csc.exe", "Cscript.exe", "CustomShellHost.exe", "DataSvcUtil.exe", "Desktopimgdownldr.exe", "DeviceCredentialDeployment.exe", "Dfsvc.exe", "Diantz.exe", "Diskshadow.exe", "Dnscmd.exe", "Esentutl.exe", "Eventvwr.exe", "Expand.exe", "Explorer.exe", "Extexport.exe", "Extrac32.exe", "Findstr.exe", "Finger.exe", "fltMC.exe", "Forfiles.exe", "Ftp.exe", "Gpscript.exe", "Hh.exe", "IMEWDBLD.exe", "Ie4uinit.exe", "Ieexec.exe", "Ilasm.exe", "Infdefaultinstall.exe", "Installutil.exe", "Jsc.exe", "Ldifde.exe", "Makecab.exe", "Mavinject.exe", "Msedge.exe", "Microsoft.Workflow.Compiler.exe", "Mmc.exe", "MpCmdRun.exe", "Msbuild.exe", "Msconfig.exe", "Msdt.exe", "Mshta.exe", "Msiexec.exe", "Netsh.exe", "Odbcconf.exe", "OfflineScannerShell.exe", "OneDriveStandaloneUpdater.exe", "Pcalua.exe", "Pcwrun.exe", "Pktmon.exe", "Pnputil.exe", "Presentationhost.exe", "Print.exe", "PrintBrm.exe", "Psr.exe", "Rasautou.exe", "rdrleakdiag.exe", "Reg.exe", "Regasm.exe", "Regedit.exe", "Regini.exe", "Register-cimprovider.exe", "Regsvcs.exe", "Regsvr32.exe", "Replace.exe", "Rpcping.exe", "Rundll32.exe", "Runexehelper.exe", "Runonce.exe", "Runscripthelper.exe", "Sc.exe", "Schtasks.exe", "Scriptrunner.exe", "Setres.exe", "SettingSyncHost.exe", "Stordiag.exe", "SyncAppvPublishingServer.exe", "Ttdinject.exe", "Tttracer.exe", "Unregmp2.exe", "vbc.exe", "Verclsid.exe", "Wab.exe", "winget.exe", "Wlrmdr.exe", "Wmic.exe", "WorkFolders.exe", "Wscript.exe", "Wsreset.exe", "wuauclt.exe", "Xwizard.exe", "fsutil.exe", "wt.exe", "GfxDownloadWrapper.exe", "Advpack.dll", "Desk.cpl", "Dfshim.dll", "Ieadvpack.dll", "Ieframe.dll", "Mshtml.dll", "Pcwutl.dll", "Setupapi.dll", "Shdocvw.dll", "Shell32.dll", "Syssetup.dll", "Url.dll", "Zipfldr.dll", "Comsvcs.dll", "AccCheckConsole.exe", "adplus.exe", "AgentExecutor.exe", "Appvlp.exe", "Bginfo.exe", "Cdb.exe", "coregen.exe", "Createdump.exe", "csi.exe", "DefaultPack.EXE", "Devinit.exe"]);
DeviceNetworkEvents
| where InitiatingProcessFileName in~ (LOLBins)
| extend CommandLineIP = extract(IPRegex, 0, InitiatingProcessCommandLine)
| where isnotempty(CommandLineIP)
// Optional filter to only filter for public ips.
//| where not(ipv4_is_private(RemoteIP))
| project-reorder Timestamp, InitiatingProcessCommandLine, RemoteIP, DeviceNameAbout this query
Explanation
This query is designed to detect potentially suspicious activities involving the execution of "Living Off The Land Binaries" (LOLBins) that reference remote IP addresses in their command lines. Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to identify instances where certain system binaries (LOLBins) are used to execute commands that include references to remote IP addresses. This can indicate attempts to connect to external networks, which might be used for lateral movement or transferring files.
-
Technique: It relates to the MITRE ATT&CK technique T1218, which involves using legitimate system binaries to execute malicious actions, making detection harder.
-
Regex for IP Detection: The query uses a regular expression (
IPRegex) to identify IPv4 addresses in the command lines of processes. -
List of LOLBins: A predefined list of known LOLBins is used to filter the processes. These are legitimate executables that can be misused for malicious purposes.
-
Data Source: The query searches through
DeviceNetworkEventsto find events where the initiating process is one of the listed LOLBins. -
Extracting IPs: It extracts any IP addresses found in the command line of these processes.
-
Filtering: The query checks if the extracted IP address is not empty, indicating that a remote IP was indeed referenced.
-
Output: The results are reordered to show the timestamp, the command line that was executed, the remote IP address, and the device name.
-
Optional Filtering: There is an optional commented-out line that can be used to filter out private IP addresses, focusing only on public IPs.
This query helps security analysts identify potentially malicious activities by highlighting when system binaries are used in unexpected ways to interact with remote IPs.
