Detection Rules - lolbins / sensitive commands

Customer recently bought our attention to this which seemed to be a novel way to detect lolbins or sensitive commands…

is EET + alerts the only way to do this in IDR? They currently aren’t licensed for EET
whoami, netsh, taskslist and attrib.exe (from LOLBins Are No Laughing Matter: How Attackers Operate Quietly) seemed to be good candidates that ‘shouldn’t’ be too noisy in environments and at least an interesting ‘notable event’ or we could always go off the ‘master’ list at https://lolbas-project.github.io/

2 Likes

Hey @wtang,

Based off the blog’s info, EET and alerts is a great way to identify those types of commands, now our Attacker Behavior Analytics definitely would fire off regarding most if not all of that similar activity, but with EET and your own ability to create custom alerts/notifications, you could very easily capture that activity yourself and modify it as you see fit, here are some example queries:

where(process.cmd_line ISTARTS-WITH-ANY ["at", "reg", "wmic", "netsh advfirewall", "sc", "rundll32"])groupby(hostname, process.cmd_line)

where(process.cmd_line ISTARTS-WITH-ANY ["dir", "net view", "ping", "net use", "type", "net user", "net localgroup", "net group", "net config", "net share"])groupby(hostname, process.cmd_line)

where(process.cmd_line ISTARTS-WITH-ANY ["tasklist", "ver", "ipconfig", "systeminfo", "net time", "netstat", "whoami", "net start", "qprocess", "query"])groupby(hostname, process.cmd_line)

1 Like