A few weeks ago , while watching the Hadza: Last of the First documentary, I couldn’t help but think of LOLBAS attacks.
You might be wondering; what do hunter-gatherers have to do with LOLBAS attacks? Well, my intention is to answer precisely that question while allowing you to see the connection for yourself as we simplify the nature of LOLBAS attacks with the help of hunter-gathers.
The term is used by anthropologists and archaeologists to simply describe that hunter-gatherers live off the land.
The Hadza are a modern hunter-gatherer tribe living in northern Tanzania. The Tribe’s entire survival depends primarily on how well they can leverage everything from their environment.
Everything they eat and drink is either hunted or foraged from their land. The Hadza women are in charge of gathering tubers, wild berries, greens and sometimes honey. The men frequently hunt large animals like zebras, giraffes and buffalo as well as small ones like birds and baboons.
The Hadza hunters of Tanzania are strategic and skilled in the art of attack. When groups of hunters set out to hunt, they follow a predefined set of tactics, techniques and procedures (TTP’s). These TTP’s play a crucial role. If each TTP is not carried out perfectly the chances of succeeding in bringing wild game back to the camp, are severely compromised.
Now that we covered our basics, I will attempt to map the TTP’s exercised by the Hadza tribe during a hunt, to the MITRE ATT&CK® Framework. As we discussed in my previous blog post “Simplifying The MITRE ATT&CK Framework '' many of the tactics, techniques and procedures overlap with each other; Feel free to create (and share) your own mapping as we go over it.
Living Off The Land Binaries And Scripts (LOLBAS) makes reference to any executable that is native to the operating system (OS) ,this includes scripts, softwares and libraries. LOLBAS attacks are often classified as fileless attacks because they don't necessarily require the adversary to place any additional files (executables, payloads, or artifacts) on the target.
The phrase "Living off the land" was coined by Christopher Campbell & Matt Graeber at DerbyCon 3. The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.
Living Off The Land attacks, as the term implies, is an attack that is carried out only using the operating system’s built-in tools; what is sometimes referred to as “Out-of-the-box” functionalities.
Just like the Hadza’s hunter-gatherers hunt down their prey armed with bows and arrows made exclusively of natural materials that are found in their environment; In the same way adversaries set out to exploit compromised systems by leveraging everything they can from their environments.
Many “Living off the land” attacks are possible mainly because some native Windows tools are signed with trusted digital certificates. We can say that these certificates serve as proof of integrity and authenticity to application whitelisting tools.
Since "Living off the land" attacks don’t install malicious software, it is challenging for typical Application Controls systems to detect. In a sense,this makes it more difficult to tackle than other variants, because the executable being run is not one installed by the adversary.
Doesn’t this remind you of the Hadza’s Defense Evasion tactic we mentioned above?
The effectiveness of LOLBAS attacks depends primarily on how skillful the adversary is at exploiting the trust relationship that exists between built-in tools and the operating system.
You may ask, “Why don't we simply uninstall these tools then?” Well, quite frankly, it is more complicated than that. You see, some of these tools are administrative tools like PowerShell, cmd.exe, SysInternals etc. and without the system administrators simply would not be able to do their job effectively.
Let’s take a look at two examples of LOLBAS attacks.
Applications may call Rundll32.exe each time that it needs to access a Windows library function.
The most basic syntax for using “rundll32.exe” is the following:
rundll32 <DLLname>
Without the Rundll32.exe executable, applications would have to run their own application and load the DLL into it in order to call these advanced functions.
By replacing a required DLL file with an infected version and placing it within the search parameters of an application, the infected file will be called upon when the application loads, activating its malicious operations.
Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. [MITRE ATT&CK]
Jorge Orchilles , CTO of Scythe. In his blog #ThreatThursday - Orangeworm shows us the step by step process of executing the dropper leveraging the MITRE ATT&CK sub-technique T1218.011 - Rundll32 under the technique, Signed Binary Proxy Execution.
Orangeworm performs a significant amount of Discovery by leveraging built in tools such as arp, cmd, ipconfig, net, netstat, route, and systeminfo. We will do the same with Scythe’s adversary emulation plan, conscious that most of these tools will run without being blocked.
Orangeworm achieves persistence through creating a new account and creating a new service that executes the malware on reboot.
Microsoft released MSBuild in 2003 as part of the . NET Framework.
Since the MSBuild is a trusted Microsoft binary that can take code and execute it in memory, it is often abused by adversaries in LOLBAS attacks in order to bypass application whitelisting solutions.
Shawn Edwards, Senior Adversary Emulation Engineer at SCYTHE, in his Compound Action: T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild shows us how to leverage the native Windows utility MSBuild to execute malicious code.
I am confident that by now the connection between the Hadza tribe of Tanzania and the nature of LOLBAS attacks have proven beneficial at simplifying the understanding of said adversary’s tactics.
Just to recap, hunter-gathers leverage everything from their land. They make use of hunting artifacts like bows and arrows crafted from native materials. Among many other things, they are skilled at exploiting the trust that exists between wild native dogs and wild game, to their advantage.
Relatively, by implementing living off the land tactics, attackers no longer have the need to download third party tools, they are skilled at exploiting the trust relationship that exists between built-in tools and application whitelisting systems. By exploiting this trust they blend in with everyday system work and not raise additional alarms.
Using fileless attack techniques and malicious scripts has been a common strategy for adversaries, one which is made easier by various, widely available tools. So it’s not shocking that every day more and more attackers are embracing living off the land attacks as their tactics.
This post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
Nathali Cano is the Adversary Emulation Jr. at SCYTHE. She performs Red Team and Purple Team Exercises and supports the creation and curation of adversary emulation plans. She holds the MITRE ATT&CK Cyber Threat Intelligence (CTI) Certification. Nathali is passionate and committed to giving back to the community. She is the founder of Grace In Action , a non-profit organization in NJ that supports families and small businesses from low-resource communities. She is both a member of Women In Cybersecurity (WiCys) and Cybersecurity Non-Profit (CSNP.)