Living off the land (LotL) attack
Introduction
Detection evasion’s become the most important part that adversaries focus on these days to gain unauthorized access to victims’ systems without being detected. It’s like a game, defenders try to strengthen the defense and attackers try to strengthen evasion. In this post, we’ll go through an adversary technique called LotL (stands for living off the land) attack — btw! we’ll rely on LOLBAS so as to allow you to see how the attack happens on OSs.
What is living off the land (LotL) attack?
A lotL attack aims to leverage trusted tools that already exist in the environment (operating system) for a malicious purpose. For the attacker, the main benefit of using this attack is that his activities are going to be less likely to flag anti-virus because they are using trusted tools.
What’s Living off the land binaries and scripts (LOLBAS) project?
Recently, Oddvar moe (security researcher) has uploaded a great project called LOLBAS (Stands for Living Off The Land Binaries and Scripts) which documents binaries, scirpts, libraries that can used to perform LotL attack. The project has been supported by many researchers around the world- btw! happy that I’m one of them.
What are trusted tools?
Trusted tools are the tools that were created only by Microsoft.
What are singed tools?
A digital signature is a virtual fingerprint given to software and/or tools by the original distributor to provide assurance to the users that the software they are using is trusted and not modified by any threat actor.
The difference between trusted and singed tools?
You should know that trusted tools aren’t always be signed, some trusted tools are singed by Microsoft and some aren’t.
Let’s go deeply through LotL attack with LOLBAS:
Hey! wait!, remember that in this blog post, the binaries refer to exe tools, scripts refer to scripts (wsf/vbs/ps1/bat), and libraries refer to DLLs, so all can be used to perform LotL attack.
Let’s start with living off the land binaries:
- LotL attack using Explorer.exe founded by Bohops
Explorer.exe
is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface for accessing the file systems.
note:
When I reconnoitered explorer.exe, I found that it doesn’t accept abbreviations (like calc, cmd). So, passing full path of your malware + its extension is required.
2. LotL attack using FTP.exe founded by Casey smith
FTP (file transfer protocol) is a standard network protocol used to exchange files between computers on a private network or through the internet. There are three ways in which FTP is commonly accessed: Command-line FTP client. using ! mark you can execute your command and/or malware.
3. LotL attack using Msdt.exe founded by Harr0ey
Msdt is a troubleshooting (diagnostic) tool providing many troubleshooting modules as depicted in the following pic:
As depicted in the picture, msdt provides many troubleshooting modules that can be used to fix different windows programs problems. While I were searching for how to leverage msdt, I found that it uses module called “PCW” can be abused to launch malware (exe, bat, vbs, js, hta and son on) and/or any executable file comes with its default runner in windows os — btw! msdt module “PCW” doesn’t accept commands, you should pass the full path of malware + followed by extension. First and foremost, you got to create a XML file (Which PCW module understands and runs) and just copy this XML code from a raw link of my Github gist, and past it to the XML file.
Now all you got to do is editing the “value” in XML code and pass your malware as illustrated above. So the XML file is ready, there is final step you got to do, is abusing Msdt PCW.
The first command line was to add the malware in the list of programs (troubleshooting list that contains programs you are having problems with) . The second one was to launch a window enabling you to execute your malware, as you see above!-btw! Msdt is granted auto elevated, so It can be used for LotL attack & UAC bypassing :)
4. LotL attack using ScriptRunner.exe founded by Nick Tyrer (@nicktyrer)
5. LotL attack using an INF file founded by Harr0ey
A description by Microsoft: An INF file is a text file that contains all the information that device installation components used to install a driver. Windows installs drivers using INF files. This information includes the following: Driver name and location. Driver version information. I’ve successfully been able to find INF file that launches commands using regsitry keys related to Runonce.exe. This is what INF file contains — btw! hahaha, you don’t have to write the code yourself, you can find it here… INF file
Let’s give run the INF file using INFDEFAULTINSTALL.exe (its runner) and see how the result of execution looks like.
Hey! guys! there are still many binaries aren’t mentioned here because I got not enough time to cover all of them, but there will often be new updates of this blog post as soon as possible. Now let’s go through living off the land libraries.
Living off the land libraries
- LotL attack using
pcwutl.dllfounded by Harr0eyrundll32.exe pcwutl.dll,LaunchApplication calc.exe
2. LotL attack using SHELL32 founded by Adamrundll32 SHELL32.DLL,ShellExec_RunDLL
3. LotL attack using Zipfldr.dll founded by Moriartyrundll32.exe zipfldr.dll,RouteTheCall file://^C^:^/^W^i^n^d^o^w^s^/^s^y^s^t^e^m^3^2^/^c^a^l^c^.^e^x^e
4. LotL attack using Advpack.dll founded by bohopsrundll32.exe Advpack.dll,RegisterOCX calc.exe
5. LotL attack using url.dll founded by bohopsrundll32.exe url.dll,FileProtocolHandler calc.exe
Now let’s go through the last lotl attack type, Scripts. Here we’re going to use /ps1/vbs/wsf scripts that can be used for LotL attack:
- LotL attack using CL_Invocation.ps1 founded by Bohops
Import-module C:\Windows\diagnostics\system\Audio\CL_Invocation.ps1SyncInvoke calc
2. LotL attack using SyncAppvPublishingServer.vbs founded by SubTee
reg.exe import c:\path\to\Slmgr.reg & cscript.exe /b c:\windows\system32\slmgr.vbs
Hey! guys! it’s the end. Thanks for reading my blog post.
Resources:
Living Off the Land Attacks | FRSecure
LOLBAS/pester.md at master · api0cradle/LOLBAS (github.com)
