Living-Off-the-Land

An unknown threat actor gained continuous administrative access to a senior finance executive's Microsoft Outlook mailbox at a global stock exchange for at least five months, deploying custom infostealers via scheduled tasks and exfiltrating sensitive emails through a Dropbox-based command and control channel after an initial lateral movement event.

This correlation search identifies multiple risk events associated with 'Living Off The Land' activity, leveraging the Risk data model to aggregate events, focusing on systems with a high count of distinct sources, potentially enabling attackers to execute code, escalate privileges, or persist within the environment using trusted system utilities.

Detection of PowerShell execution initiated via Crowdstrike Real Time Response (RTR) 'runscript' command, potentially indicating malicious actors leveraging compromised Crowdstrike Dashboard access to execute commands on remote hosts using encoded commands.

The analytic identifies instances where wmiprvse.exe spawns msbuild.exe, an unusual process relationship indicative of potential COM object misuse and unauthorized code execution on Windows systems.

Detection of msbuild.exe execution from a non-standard path, indicating potential attempts to evade detection and execute malicious code.

The use of Microsoft Workflow Compiler (microsoft.workflow.compiler.exe), a rarely utilized executable typically found in C:\Windows\Microsoft.NET\Framework64\v4.0.30319, can indicate malicious intent such as code execution or persistence mechanisms, potentially leading to unauthorized access.

Detection of the renaming of microsoft.workflow.compiler.exe, a technique used by attackers to evade security controls and potentially execute arbitrary code for privilege escalation or persistence.

Detection of netsh.exe execution by unusual processes indicative of potential malicious activity, including persistence and network configuration changes by threat actors.