Tips for an Information Security Analyst/Pentester career - Ep. 85: Weaponizing Windows Binaries (LOLBAS & C.)

Over the last years, attackers have used increasingly sophisticated techniques, by leveraging coding bugs in web applications and security gaps in EDR systems and in antivirus software.

Security solutions play a cat-and-mouse game with bad guys, trying to catch up, and they often fail.


So far security products have mostly focused on detecting malicious payloads dropped to the target machine in multiple ways (through phishing, drive-by downloads and other mechanisms), but most of them widely overlook another important attack vector.

One of the latest trends in penetration testing is to use the so-called Living Off the Land Binaries and Scripts (LOLBAS), i.e. scripts and binaries normally installed by default in Windows, to slip through undetected. An alike approach for *nix systems is called GTFOBins.

As for Windows, this new threat vector is based on the concept that several system binaries may support built-in functionalities that potentially allow for compromise of the target system, but at the same time, as they are often bundled in Windows and signed by Microsoft, they do not normally raise any eyebrows when present in system activity. LOLBAS represent standard Windows features and binaries that can be often abused by attackers to bypass endpoint detection and defenses

A very useful reference to build on this concept is the LOLBAS project, available at https://lolbas-project.github.io/.


I recently participated in an engagement where I managed to widely use this method to compromise the target system, though it was hardened by a well-designed security solution.


Most incident response platforms focus on signatures or behavioral patterns, therefore they detect a potentially malicious binary either when it’s not signed by Microsoft or other trusted sources, or when its hash value matches the hash value of a known malware variant.


Utilizing LOLBAS to compromise a system is a very convenient method to attackers, because they don’t cause a lot of noise or suspicions. In fact, these binaries are signed by Microsoft, and they’re already available by default, so an attacker doesn’t have to download or install a third-party executable that could be flagged and blocked, or that could generate a revealing audit trail.

Let’s now have a look at some hands-on examples of LOLBAS exploitation and let’s see how Windows Defender responds to this type of attacks.

a) FTP:
FTP can be used both interactively in a terminal and non-interactively, by loading commands off a text file.

The latter method can allow an attacker to silently download a malicious file to the target machine.

After starting an FTP server on Kali, by using pyftpdlib, I could run the above commands from a text file, without being detected by Defender or other security software.
Sadly, Windows Defender detected the payload I used, as it was generated with msfvenom, but a custom malware would have surely had a much better luck.

This brings me to another consideration: I think Microsoft deserves a lot of credit for the way Windows Defender got improved.

Defender detected almost every payload I generated, no matter whether obfuscated or encoded.


b) Certutil:
Certutil is a standard Windows utility having dual purposes. Its primary function is to dump, display, and configure certification authority (CA) information.
However, it can also be used to upload a file to a Windows computer, without checking the format of the file.

The upload command was successful but, once again, Defender detected and removed the payload I generated as malicious.


c) nc.exe (netcat for Windows):
I was able to download nc.exe and obtain a reverse shell, without any response from Defender.
The executable isn’t always available by default in Windows, and some of its versions don’t support its -e  switch.
However, it’s a pretty easy way to obtain a reverse shell on a remote system, if it's available on the local machine.

Netcat connection opened on the Windows machine

Netcat listener receiving connection on Kali (port 5555)

d) sethc.exe (STICKY KEYS ATTACK):
Sticky Keys is an accessibility feature that can be activated by pressing the SHIFT key for 5 times.
If an attacker can access the local filesystem with the right set of privileges, they could replace the original executable with cmd.exe and spawn a terminal, when the functionality is recalled.

Attackers could easily add a user for themselves, achieving persistence on the target machine.

The following examples are taken from this blog post.


e) extrac32.exe:
It’s used to extract cab files, but you also can use this command to add alternate data streams to a file.
In the below example, I added a hidden executable (Process Explorer) to a file called file.txt and the file didn’t change its size.

I was then able to run the executable without triggering any response from Windows Defender.

f) Findstr.exe:
It finds strings within text files. This useful functionality can be abused by searching for a string that does not exist in a file, and pipe that into a new file.
The hidden file can also be piped into an ADS stream of a file.



g) sc.exe:
A binary can be executed from an alternate data stream as follows:

Wrap-up

Quoting Nolan B. Kennedy: “In the modern age, antivirus and IDS/IPS software have made the ultimate comeback. The golden age of launching vanilla mimikatz and meterpreter payloads are LONG gone. And for my OSCP students: No, using 30 rounds of shikataganai encoding will NOT help you 😂⁣
LOLBAS (Living Off the Land Binaries and Scripts)⁣ and its sister site GTFOBins (for linux) are incredibly useful resources for identifying and abusing tools installed on almost every machine for everything from jail shell escaping & privesc to covert file transfers & data exfil. ⁣Now depending on the logging capabilities of the target system, you might STILL get caught doing bad things. Especially if the target system is monitored by a crack IR or Hunt team. .⁣And ultimately, as pentesters/red teamers we’re adaptive and LOL is only one tactic in our arsenal. Let’s make those defenders work for their pay 😈”

I couldn’t agree more with this statement. The longer I’m in the game the harder it gets for me to get a shell on a target system.

EDR and AV solutions have greatly stepped up their game and detect 90% of my payloads, because everyone used the same payloads for years and by now their signatures are well-known and are all over the place.

Even obfuscation doesn’t improve a lot the outcome from this type of attacks.
The response to these improved detection capabilities can be manually creating custom payloads and utilizing LOLBAS.

LOLBAS-based attack vectors are way stealthier, as they don’t raise a lot of suspicion nor create a lot of noise.

Most of them have underlying functionalities that can be abused but they’re signed by Microsoft, so defenders often overlook them.

We all picture bad guys dropping some weird payloads on the system and expect for an alert to pop up about that, but what if the attacker used Windows functionalities themselves to attack a remote system?

When red teamers use this attack vector, they’ll achieve a good success rate because often times no one thought of monitoring it.
I personally believe this is the future of penetration testing and we’ll see LOLBAS increasingly being used by bad guys to evade defenses.

Are you ready for this?

References:
https://www.varonis.com/blog/the-malware-hiding-in-your-windows-system32-folder-more-alternate-data-streams-and-rundll32/

https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/