This is the final blog of our three-part blog series on living-off-the-land (LOTL) attacks. If you missed last week’s blog, you can read it here.
LOTL attacks are also known as “malware-free” attacks because your own tools are used against you, either to hide malicious activities under a legitimate system process, or to leverage genuine system activities for malicious purposes. These attacks are undetectable by most antivirus software and anti-malware tools, which allows attackers to propagate invisibly inside an organization’s network.
Over the course of the last two weeks, we saw how malicious users can leverage various tools like PowerShell, the Command Prompt, and Windows Remote Management (WinRM) to carry out attacks. This week, we will look at another form of such attack techniques, where we will see how third-party tools used by organizations (SQL databases, Exchange servers) can be used in attacks, and also how well-known offensive tools used by hackers (Mimikatz, WannaCry ransomware) can hide under genuine systems tools to avoid detection.
We will observe the tools used, the execution methods, and, of course, the aftermath!
Dumping credentials from lsass.exe:
-
-
Tools used: Command Prompt and SQLDumper (debugging utility included with Microsoft SQL)
-
Method of execution: Dump process by process ID (PID) and create a dump file.
-
sqldumper.exe 464 0 0x0110
-
-
Aftermath: The PID can be of any process (like lsass.exe) and a Mimikatz-compatible dump file can be created, which can later be parsed to obtain clear text passwords.
-
Bypassing AppLocker rules and launching malware under Windows Management Instrumentation (WMI):
-
-
Tools and processes used: Command Prompt and WMI
-
Method of execution: One-liner command to launch any malicious executable under the WMI process
-
wmic.exe process call create mimikatz.exe
-
-
Aftermath: Organization-blocked executables and malware can be hidden and executed under the genuine WMI process.
-
Check out this short video on the attacks mentioned above:
This multi-part blog series just scratches the surface on LOTL attacks. To learn more, dive in to our live, hands-on webinar where you’ll learn the different ways attackers can leverage LOTL tactics to gain access to your critical data, privileged accounts, and servers.
Sign up now, and see live demonstrations of a few LOTL attacks to understand attack patterns better, and learn how to build an effective defense strategy for your hybrid environment.
If you need help trying out these attacks in your own test environment, just leave your questions in the comment section below, and I’d be happy to help.