We’re back with part two of our three-part blog series on living-off-the-land attacks. If you missed part one, you can read it here. In a nutshell, living-off-the-land (LOTL) refers to a type of attack where the attacker uses the tools and features that already exist in the target environment to carry out malicious activities.
The concept of LOTL is not new, but LOTL and file-less attacks have been gaining popularity over the last few months. Here are a few examples of genuine and secure Windows executables that are increasingly being exploited in attacks.
Executable |
Function |
PowerShell.exe |
Command-line shell designed especially for system administrators. Attackers are using this to execute malicious code. |
expand.exe |
This utility is run to expand (extract) files from compressed files. Attackers use this to copy files from remote systems. |
Eventvwr.exe |
Displays Windows Event Logs in a graphical user interface (GUI) window. Exploited to execute scripts and binaries as a high-integrity process without a User Account Control (UAC) prompt. |
SQLDumper.exe |
Debugging utility included with Microsoft SQL. Used to create dump files that can be read by tools ( Mimikatz ) to retrieve credentials. |
The core binding factor for all of these exploits is that they only leverage built-in system tools and features, making it easy for attackers to remain invisible by hiding malicious activities within the numerous legitimate and secure processes running daily.
For this blog, we’ll look at two attack techniques that can be used to add backdoors and bypass default rules. We’ll observe the tools used, the execution methods, and, of course, the aftermath!
-
Backdoor service installation:
-
Tools used: Command Prompt and Windows Remote Management (WINRM).
-
Method of execution: A one-liner command that installs a backdoor service that can be set to launch any application or executable.
-
Aftermath: Backdoor service installed that can be leveraged to deploy malicious activity; this can be done on remote systems, too.
-
-
Copying data from remote locations:
-
Tools and processes used: Run dialog box and msiexec.exe.
-
Method of execution: Using the run dialog box, run the command to bypass any restriction rules and launch malicious MSI applications.
-
“msiexec/quiet/i <path of the MSI file (evil.MSI)>”
-
- Aftermath: Any malicious application can be launched, even if it’s blocked by the organization.
You can check out a short video on the above mentioned attacks here:
www.youtube.com/watch?v=_IVaTl09xJ8&feature=youtu.be
This multi-part blog series just scratches the surface on LOTL attacks. To learn more, dive in to our live, hands-on webinar where you’ll learn the different ways attackers can leverage LOTL tactics to gain access to your critical data, privileged accounts, and servers.
Sign up now, and see live demonstrations of a few LOTL attacks to understand attack patterns better, and learn how to build an effective defense strategy for your hybrid environment.
If you need help trying out these attacks in your own test environment, just drop an email to abi@manageengine.com, and I’d be happy to help.