Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
This is the fifth and final blog post in the Living Off the Land blog series. In this edition, the focus is on how adversaries may leverage Living off the Land tools to create Command and Control (C2) communication after successfully completing the previous phases of the Cyber Kill Chain.
Executive Summary
Command and control is the second to final stage of the Cyber Kill Chain, enabling the adversary to complete their actions and objectives. In order to establish command and control communications, both penetration testers and adversaries have exploited Living Off the Land techniques in the past. Scripting languages such as PowerShell and Windows Management Interface (WMI) have been exploited to enable C2, as has remote access software. Frameworks exist for the express purpose of creating C2 communication via Living Off the Land Tools. Defenders need to be aware that remote access software and scripting software is all that is required to establish command and control in the enterprise. These tactics are discussed in greater detail below, along with mitigation steps.
Background
There are various options adversaries can employ to establish communication using Living off the Land techniques. Common methods seen across the eSentire threat detection surface include PowerShell and Windows Management Interface (WMI). Other methods observed in the wild utilize remote access software and anti-theft applications.
There have been cases where common enterprise applications have been used to control and execute software on compromised hosts. In one particular case, TeamViewer was used to remotely deliver and execute commands against company assets, leading to the compromise of a CCleaner version. The compromised versions were downloaded by 2.3 million users before the issue was fully resolved [1].
In early May 2018, researchers identified a threat actor exploiting older versions of Absolute LoJack to establish successful C2 communication [2]. Absolute LoJack is a legitimate anti-theft solution used by organizations to track and remotely wipe stolen assets. The adversaries in this case were able to modify a LoJack agent to point to a rouge C2 server that mimics the LoJack communication protocols. By utilizing LoJack to maintain communication with the rouge server, the adversaries were able to perform malicious tasks to obtain their objectives.
The versatility of PowerShell and WMI have been noted in previous blog entries in this series; various frameworks using these languages have been created that reduce the difficulty in establishing Command and Control. One such tool is PoshC2. PoshC2 is an open source Command and Control framework that is written entirely in PowerShell [3]. It was designed for the benefit of penetration testers to establish communication after successful exploitation.
Additional Information
In order to demonstrate the use of Living off the Land tools for establishing Command and Control, the following section demonstrates the PoshC2 framework. This framework allows adversaries and pen-testers the ability to establish encrypted communication. PoshC2 was chosen to demonstrate as it has a high number of built in modules, receives frequent updates and is relatively simple to use. Figures 1-7 illustrate how potential attacks may unfold.
The server configuration settings and options for PoshC2 are shown in figure 1. The tool can be used internally on a compromised environment or externally on infrastructure owned by the adversary since it is built entirely from PowerShell. When used internally, PoshC2 can funnel traffic from multiple compromised assets through one IP address. This can minimize the chances of discovery when only monitoring egress traffic.
The Get-RecentFiles command brings up a list of recently accessed files on the machine. This allows adversaries to quickly identify potential files of interest.
The Get-Screenshot command allows adversaries to take live screen captures of the victims’ machines. Obtaining screen shots could allow adversaries to obtain sensitive information displayed on the screen.
In figure 7, the adversary used the PoshC2 framework to launch an executable. In this case, calc.exe was launched on the affected asset. From the attacker’s perspective, this functionality opens a near limitless set of options for new attacks across the network.
PoshC2 is blocked by Windows Defender by default in Windows 10, but the framework can be easily modified to evade detection.
Mitigation Strategies
Knowing the potential threats that exist pertaining to Living Off the Land tools allows defenders to tailor aspects of security to best protect against these attacks. Each previous blog post in this series has a tailored set of recommendations for defending against the use of Living Off the Land tools in the various Kill Chain stages. Below is a list of recommended steps for reducing the likelihood of an adversary successfully establishing Command and Control.
Conclusion
Penetration testers and adversaries have incorporated multiple living off the land techniques in established command and control communication. Whether through scripting languages like PowerShell, or compromising remote access software, communications can be established. Over the years, tools and frameworks have been developed to leverage Living Off the Land software as demonstrated by the PoshC2 framework. The detection of Living Off the Land tools is difficult, but by combining both network and endpoint monitoring, it is possible to identify unusual command and control activity.
This blog series has outlined the use of Living Off the Land tools for reconnaissance, weaponization, delivery and installation, exploitation and the command and control phases. Combining the kill chain phases can allow adversaries to achieve their objectives. Employing the use of Living off the Land techniques by adversaries can increase the difficulty for incident responders to detect. Performing the recommendations included in this blog series can help to mitigate, stop or quickly respond to threats relying on Living off the land tools.
Previous Blogs in this Series
Living Off the Land – The Reconnaissance Phase
Living Off the Land – The Weaponization Phase
Living Off the Land – The Delivery & Installation Phases
Living Off the Land – The Exploitation Phase
Sources
[1] https://thehackernews.com/2018/04/ccleaner-malware-attack.html
[2]https://asert.arbornetworks.com/lojack-becomes-a-double-agent/
[3] https://github.com/nettitude/PoshC2
[4] https://www.esentire.com/blog/living-off-the-land-the-reconnaissance-phase/