May Threat Intelligence Report

‘LOL’ – Living Off the Land

Summer may be here, but we’re not out foraging yet; with our cyber hats still firmly on, this kind of living off the land refers to an adversary making the best use of their environment, post-breach.

A good EDR solution is going to alert on malicious tools, particularly off-the-shelf ones generated with platforms such as Metasploit or Cobalt Strike, hopefully, they’d be caught even before execution as they made their way over the network and on to the compromised host. With the aim of becoming ever stealthier and avoiding these electronic tripwires before their mission is accomplished, attackers are increasingly looking to leverage legitimate applications and utilities that are native to your operating system or application set. The distinct adversarial advantage here is that these are signed binaries, libraries or drivers often forming part of the operating system itself and in some cases, critical to its operation. Executables such as PowerShell, WMIC & MSBuild.exe are part of the modern Microsoft Windows OS and carry a valid digital signature from the vendor, as well as having powerful capabilities and running with System privileges. By taking this approach, an attacker is able to access stored credentials, bypass security measures such as UAC, move laterally across the network and ultimately, exfiltrate your data.

If your adversary is able to accomplish their mission using this technique alone, there will be no trace of malicious artefacts and when using a compromised account, the execution of legitimate applications may only serve to muddy the waters of an investigation.?

For administrative reasons these legitimate tools are likely to be on your organisation’s allow list, making them harder to restrict and harder still to detect when being used maliciously.?

When fully considered, the above is starting to sound like the stuff of network defenders’ nightmares! Thankfully, there are still defensive techniques we can deploy and online resources that we can use to detect this behaviour. The folks at the LOLBAS Project do an excellent job of curating the many Windows binaries that are susceptible to abuse as well as helpfully mapping them to the corresponding MITRE ATT&CK framework tactics. Their sibling site LOLDrivers does an equally comprehensive job of listing vulnerable Windows drivers, with a matured user interface and a wealth of related information, while GTFOBins presents the Unix- based OS equivalents of the LOLBAS project.

Being armed with these resources certainly helps, but what can you do when it comes to positive, defensive action? Know your network and know what’s ‘normal’ – the basis of anomaly detection is to properly understand your activities using behavioural analysis and using that data to create intelligent tuning rules that recognise this activity. Anything outside of that behaviour, for example, a non-technical user running powershell.exe to invoke the certificate signing tool, should still light up your SIEM like Blackpool seafront. Another critical function is Threat Hunting – deploying your human resource to look for signs of malicious activity using endpoint and network forensic techniques, correlating against known IOCs in order to prove or disprove their hypothesis. This is a skill that should never be underestimated, there are as many cases of criminal activity being uncovered by a tenacious analyst as there are from an IDS or EDR solution.

Finally, understand what coverage you have from your current Microsoft licences and ensure this meets your expectations (get in touch if you need help with this) - check to see if you have ‘Defender for Endpoint Plan 2’ included and if not, consider upgrading to it. This security product from the vendor integrates natively with your Windows 10/11 desktop operating systems and provides EDR, discovery, threat analytics and advanced hunting functions and has a seamless integration with e2e-assure’s bespoke SIEM, Cumulo. This allows our Analyst teams to see alert data from across your estate in real-time and respond accordingly. If you’d like to learn more about this service, or just want to talk LOLBins, get in touch!

As well as this, further topics covered in the May issue are:-

1?? ???????????A favoured adversary tactic: 'Living off the Land'

2?? ???????????The Rise of Anonymous Sudan

3?? ???????????‘Carpet Bombing': An emerging threat

4?? ???????????Spotlight on APT-1: Unveiling the threat actor

5?? ????????? Update on the 3CX breach and Genesis Market takedown from our last report

To read the remaining four articles visit https://e2e-assure.com/#newsletter and sign up for the full intelligence brief.

Want to get in touch? You can reach us at: [email protected]??

???????

?

?