Wazuh | Detect LOLBAS Attacks

Ali Sefer
6 min readSep 2, 2024

--

In today’s cybersecurity landscape, threats are becoming increasingly sophisticated, requiring security professionals to stay vigilant against ever-evolving attack techniques. One such technique is the use of LOLBAS (Living Off The Land Binaries and Scripts), where attackers misuse legitimate Windows tools to carry out malicious activities while avoiding detection. Traditional security solutions often struggle to detect these types of attacks because the tools used are recognized as legitimate and trusted. This poses a significant challenge for security teams trying to identify and stop such attacks in a timely manner.

This is where Wazuh comes in as a powerful ally in security operations and threat detection. Wazuh is an open-source and comprehensive security solution that combines SIEM (Security Information and Event Management) capabilities with critical functions such as log management, file integrity monitoring, threat detection, and compliance management. Wazuh is particularly adept at providing proactive defense against LOLBAS attacks, which are common in Windows environments. It offers real-time monitoring, log analysis, and rule-based detection mechanisms to unravel the complexity of these attacks.

In this article, we will explore how Wazuh can detect LOLBAS attacks and how you can strengthen your security strategies against such threats. With the various features and tools offered by Wazuh, cybersecurity professionals can effectively combat these attacks, preventing adversaries from covertly taking control of systems and advancing your security operations to the next level.

We will test the relevant rules and PoC phases on a live system. So I may have to blur some places.

I’m not going to show the installation, configuration and agent setup of Wazuh from start to finish. Depending on the interest in this blog post, I may publish a chapter-by-chapter guide on Wazuh from start to finish!

We will write the relevant rules under the “local_rules.xml” file. But first we need to identify which LOLBAS commands we want to detect and extract their syntax.

You can go to the website I provided in the link above and review the relevant LOLBAS commands. Here I will create rules to cover “bitsadmin.exe” and “certutil.exe” commands as an example.

  • Bitsadmin: Used for managing background intelligent transfer.
  • Certutil: Windows binary used for handling certificates.

Please perform a correct Sysmon configuration on Wazuh and agents before proceeding to rule writing! You can use the Sysmon config file provided in the official Wazuh documentation.

Rule Creation

Let’s go to the “Rules” section in Wazuh and open our local_rules.xml file. First, I will write the rule we need to detect the bitsadmin.exe command. You can see the details in the screenshot below.

bitsadmin.exe Detection Rule

General Rule Structure:

This rule is defined within a “group” tag, which references a specific set of rules designed to cover particular scenarios. In this rule, there are two groups named “windows” and “lolbas”. This indicates that the rule is relevant for both Windows operating systems and LOLBAS (Living Off The Land Binaries and Scripts) threats.

Rule Details:

1.Group Name (name="windows,lolbas,"):

  • windows: Indicates that the rule is specific to the Windows operating system.
  • lolbas : Shows that the rule is intended to monitor events related to the LOLBAS category.

2. Rule ID (id="180001"):

  • This specifies the unique identifier (ID) of the rule. You can identify which rule Wazuh used when reporting an event by this ID.

3. Level (level="12"):

  • This represents the severity level of the rule. A level 12 indicates a significant security threat, meaning that Wazuh will treat this event with high priority.

4. Ignore (ignore="120"):

  • This specifies how many seconds a similar event should be ignored after it has been detected. In this example, Wazuh will not report the same bitsadmin.exe event again for 120 seconds.

5. if_group (windows):

  • Indicates that this rule applies only to Windows systems. This means that the rule will only be enforced on devices running the Windows operating system.

6. Match (bitsadmin.exe):

  • This detects the use of the bitsadmin.exe tool. bitsadmin.exe is a legitimate Windows tool typically used for background download tasks. However, it can also be misused by attackers to download and execute malicious software.

7. Description:

  • Provides a description of the detected event. This helps better understand the nature of the event. In this case, it indicates that the event involves a suspicious download and execution using a BITS (Background Intelligent Transfer Service) job, and it dynamically includes the name of the computer where the event occurred using the $(win.system.computer) variable.

8. MITRE ATT&CK Framework (mitre):

  • This section indicates which tactic or technique from the MITRE ATT&CK Framework the rule is related to.
  • ID (id="T1197"): This corresponds to the technique of abusing BITS jobs in the MITRE ATT&CK Framework. Thus, this rule focuses on detecting the misuse of the bitsadmin.exe tool by attackers to perform malicious tasks

PoC

Now we should expect an alarm on the Wazuh side when BITS transactions are executed! Let’s immediately start a bitsadmin.exe process on one of our agents and examine it on the Wazuh side.

bitsadmin.exe Process

We have successfully started the bitsadmin.exe process on the corresponding agent! When I looked at my Wazuh screen, I saw that the rule we wrote was triggered instantly! You can see the details of this in the screenshots below.

bitsadmin.exe Detection Rule Triggered

When we look at the triggered rule in more detail, we can access the full logs. As you can see in the screenshot below, we can determine that such an alarm was created because the bitsadmin.exe process was triggered.

bitsadmin.exe Detection Rule Triggered Detail

We can use the same rule structure for certutil.exe or other LOLBAS processes. There are only certain parts that we need to pay attention to:

  • rule id must be changed!
  • The match part must be changed and here we write which process we want to generate an alarm if it is run!
  • We can write whatever we want in the description section.
  • In the mitre section, we write which MITRE ID is equivalent to the corresponding LOLBAS command.

For example, by examining the rules I have created separately for certutil.exe and bitsadmin.exe process, you can understand more easily and you can write the relevant rules correctly.

certutil.exe Detection Rule

I will not explain these parts in detail as above. After writing the relevant rules, I restarted Wazuh and ran certutil.exe on the agent. As you can see in the screenshot below, the rule we wrote was successfully triggered!

certutil.exe Detection Rule Triggered

Wazuh offers a powerful and flexible solution for detecting and managing threats in the modern cybersecurity landscape. The detection of LOLBAS attacks is particularly crucial for ensuring the security of systems. In this article, we explored how Wazuh monitors such threats, providing detailed examples of configurations. Security teams can leverage Wazuh’s extensible infrastructure to develop custom rules tailored to their systems, making the threat detection process even more effective. With proper configuration and continuous monitoring, Wazuh remains a vital tool in building a proactive defense against cyber threats.

The rules written here are for beginners! More complex and inclusive rules can be written in Wazuh!

Stay safe.

--

--

Ali Sefer
Ali Sefer

Written by Ali Sefer

Information Security Specialist | Purple Team Member

Responses (2)