An attacker's toolchest: Living off the land

03/08/2022
G DATA Blog

If you’ve been keeping up with the information security world, you’ve certainly heard that recent ransomware attacks and other advanced persistent threats are sometimes using special kind of tools. But for the most part, the tools will be very familiar to you.

The tools used by an attacker are showing what a determined cybercriminal group with a lot of patience and skills can do. The question a lot of people always ask to me is what kind of tools have been used in which kind of attack.

MITRE ATT&CK

To give you a good overview of the tools being used I also introduce you to the MITRE ATT&CK framework as most techniques used by the tools named over here can be found there!

MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). The MITRE ATT&CK framework is a knowledge base and model for cyber adversary behaviour, reflecting the various phases of an adversary's attack lifecycle and the platforms they are known to target. The tactics and techniques abstraction in the model provide a common taxonomy of individual adversary actions understood by both offensive and defensive sides of cybersecurity. It also provides an appropriate level of categorization for adversary action and specific ways of defending against it.

MITRE ATT&CK was created in 2013. The key question for the researchers was "How well are we doing at detecting documented adversary behaviour?" To answer that question, the researchers developed ATT&CK, which was used as a tool to categorize adversary behaviour.

Part of the the mechanisms and some of the utilities described below can be found easily inside the MITRE ATT&CK framework.

The Tools of cybercriminals

a) The Obvious Choices

If you dig inside the forensics behind several cyber attacks you suddenly will come up with a bunch of typical hacking tools which are used by both legitime hackers and cybercriminals. Most use some open source and third party tools to perform their attacks. I listed several of them below:

Advanced IP Scanner

Bloodhound

Cobalt Strike

Defender Control

Impacket

LaZagne

Mimikatz

NirSoft Password Recovery Tools

ProcDump

PsExec

PowerShell Empire

PowerSploit

These tools are being used extensively by the cybercriminals, legitime hackers but also, of course, by normal network administrators. By the way this list isn’t complete, it just gives you an interesting overview of what’s being used.

 

The Real Ones

However, if you dig deeper into the world of hackers and cybercriminals you mostly see that they are using what widely is available on the MS Windows network itself. As most tools are available and being used by admins or scripts inside the company it also explains why attacks based on this are more difficult to spot. Several  MS  Windows uUtilities are being used extensively by the attackers. The good thing is that even if the most sophisticated ofskilled attackers still uses these kind of techniques and utilities, there will be always hope to catch them.

Most of the tools being used are common and are tools which most IT administrators are using on their own networks. But isn’t that good a sign? Could we not prevent to run these tools on our networks? This is not necessarily good news, for reasons we will get into.

Let’s have a deeper look at several of these utilities and let me explain in a nutshell how they are used. Standard MS Windows utilities are actually one of the most widely used tools by malware and threat actors from discovery and lateral movement to persistence and much more ….

 

Windows Utilities

(just an overview in random order – most descriptions are coming from Microsoft technical documentation)

Schtasks (schtasks.exe)

Enables an administrator to create, delete, query, change, run, and end scheduled tasks on a local or remote computer.

Used by malware and cybercriminals as a persistence mechanism on your network.

Nltest (nltest.exe)

Network Location Test — List domain controllers, Force a remote shutdown, Query the status of trust, test trust relationships and the state of domain controller replication.

This tool is often used by criminals to enumerate active directory trust.

Wmic (wmic.exe)

The WMI command-line utility provides a command-line interface for Windows Management Instrumentation (WMI)

Attackers can kill processes, search for processes, delete shadow copies, execute processes locally or remotely and so on.

Sc (sc.exe)

Communicates with the Service Controller and installed services

Used to disable, create, delete or stop services.

BCDEdit (bcdedit.exe)

BCDEdit is a command-line tool for managing Boot Configuration Data stores

Used by ransomware to disable recovery features.

Ping (ping.exe)

Verifies IP-level connectivity to another TCP/IP computer by sending Internet Control Message Protocol (ICMP) echo Request messages.

The ping command is often used to see if machines are up and running.

Net (net.exe)

The Net.exe Utility component is a command-line tool that controls users, groups, services, and network connections.

This utility can be used to view shares, create users and groups, discovery, view password policy…etc.

Mshta (mshta.exe)

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files.

Often seen at early stages of infection of an office executable but can also be seen as a technique to bypass a whitelist or application control.

Rundll32 (rundll32.exe)

This executable is used to load and run Dynamic Link Libraries.

This tool can be used to execute malicious DLL’s,  JavaScript or even execute DLL’s remotely from a share.

Systeminfo (systeminfo.exe)

Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties.

Used by malware and attackers for discovery.

Attrib (attrib.exe)

Displays, sets, or removes attributes assigned to files or directories.

Used by malware to hide a file or a folder.

Reg (reg.exe)

Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information.

Used by attackers to stay on the system by adding or modifying keys or as a query mechanism to check if certain configurations or software are installed and as tool to dump credentials.

Taskkill (taskkill.exe)

Ends one or more tasks or processes. Processes can be ended by process ID or image name

This utility is often used by malware or attackers to make sure that other programs such as backup software or security software don’t interfere with their work.

ICacls (icacls.exe)

Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.

Used by malware and ransomware to change and modify directories and files permissions by granting full permissions on files and folder in the case of ransomware, which is generally one of the last steps before launching the encryption module.

Vssadmin (vssadmin.exe)

Displays current volume shadow copy backups and all installed shadow copy writers and providers

This is often used by ransomware to delete disk shadow copies from a computer to prevent any restore option.

And one of the most popular tools is PowerShell.exe which is the name of the popular programming and scripting language interpreter. This Microsoft scripting tool that can be used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance. It is becoming easier for attackers to leverage PowerShell in their attacks with the availability of PowerShell-based exploitation frameworks such as PowerSploit and PowerShell Empire, which are easy to use and lower the barrier to entry for using PowerShell in attacks.

And there are many more MS Tools (Wscript , Regsvr32, etc …) which I haven’t even looked into here as this list is already becoming too extensive.

Living off the land techniques

In the physical world “living off the land” simply means to survive only by utilizing the resources that you can harvest from the ‘natural’ land. There may be multiple reasons for doing this: for instance you want to become ‘invisible’ or maybe you have something or someone to hide from or you just like the challenge of being self-sufficient. In the IT world “living off the land” refers to attacker-behaviour that uses tools that already exist in the targeted environment.
 
Attackers that use already existing tools avoid the need to build and test the new tools. They don’t have to worry about compatibility or dependencies. It’s also cheaper and quicker to use what is already there. It’s also not that easy to create programs that are stealthy enough to avoid detection for instance. Strange though it may sound, developing malware that is stealthy enough is almost an art form that is difficult to master. From an attacker’s view using existing tools makes the job of the defender definitely more difficult. Because the attacker uses tools that are already present in the network, any malicious activity rarely stands out from regular activities.

 

Stopping attacks

This overview clearly shows that most threats are coming from tools being used widely in networks for administration purposes. Daily network monitoring is advised and should be part of your cyber security policy. There are also possibilities to blacklist specific tools from being run. This could stop several attacks very easily. However picking out the malicious use of built-in tools versus the authorized use of tools by the system administrator can be akin to looking for a needle in a haystack – except the haystack is really a pile of needles. Another possibility is to create some rules to stop a specific technique being used and base-lining the behaviour of the users in it so that your average network users aren’t hindered in their daily work.  Another very good threat blocking prevention technique is to keep an eye at registry keys interaction as a lot of malware and attackers are misusing the registry in a lot of ways. It isn’t always easy to find a legitime process executing malicious code on your network. At least with the help of the MITRE ATT&CK framework (see above) you can have a good overview of what can go wrong on your network.
 
Nevertheless the best prevention is to stop the threat before it is reaching your network because the attacker will need to trick the user into executing something or clicking on the wrong link(s) except in the case that a vulnerability is involved. The good news is that most threats can be stopped from the beginning by a good implementation of Cyber Security Awareness Trainings, Endpoint Security Protection and a fast patch management policy. The beginning of any good security strategy is to establish a baseline. This will help you to create criteria for activity patterns that are normal versus those that may indicate foul play. Without that baseline it is very difficult or even impossible to detect activities that warrant a closer look. If you happen across any suspicious activity without a baseline, this is very likely to be a result of luck than good investigation.
And if there is one thing you definitely do not want to have to rely on for security in your networks, then it is luck.

Eddy Willems
Security Evangelist