Breaking Down LOLBAS Attacks With The Help Of Hunter-gatherers

This was originally published on February 4, 2022 on the Scythe blog page.

Author Nathali Cano

https://frontporchne.com/article/tanzanias-hadza-say-think-youre-lost/

A few weeks ago , while watching the Hadza: Last of the First documentary, I couldn’t help but think of LOBAS attacks.

You might be wondering; what do hunter-gatherers have to do with LOLBAS attacks? Well, my intention is to answer precisely that question while allowing you to see the connection for yourself as we simplify the nature of LOLBAS attacks with the help of hunter-gathers.

Hunter-gatherers

The term is used by anthropologists and archaeologists to simply describe that hunter-gatherers live off the land.

The Hadza Tribe

The Hadza are a modern hunter-gatherer tribe living in northern Tanzania. The Tribe’s entire survival depends primarily on how well they can leverage everything from their environment.

Everything they eat and drink is either hunted or foraged from their land. The Hadza women are in charge of gathering tubers, wild berries, greens and sometimes honey. The men frequently hunt large animals like zebras, giraffes and buffalo as well as small ones like birds and baboons.

Mapping the Hunter’s TTP’s to the MITRE ATT&CK Framework

The Hadza hunters of Tanzania are strategic and skilled in the art of attack. When groups of hunters set out to hunt, they follow a predefined set of tactics, techniques and procedures (TTP’s). These TTP’s play a crucial role. If each TTP is not carried out perfectly the chances of succeeding in bringing wild game back to the camp, are severely compromised.

Now that we covered our basics, I will attempt to map the TTP’s exercised by the Hadza tribe during a hunt, to the MITRE ATT&CK® Framework. As we discussed in my previous blog post Simplifying The MITRE ATT&CK Framework many of the tactics, techniques and procedures overlap with each other; Feel free to create (and share) your own mapping as we go over it.

https://geographical.co.uk/people/cultures/item/3598-the-hunter-gatherers-protecting-tanzania-s-forests-through-carbon-offset/

TTP’S

They Survey The Area ahead of time

Reconnaissance-TA0043

1. They Construct Spying Bushes to hide and deceive their prey

2. Defense Evasion-TA0005

3. They Communicate Subtly while deciding the best angle of attack

Command and Control- TA0011

1. They often use crafted Bow and Arrow as their hunting artifacts

Develop Capabilities-T1587

1. They Shoot Poisoned Arrows at the prey

Execution-TA0002

1. They Read The Animal's Tracks to locate it after it has fallen down. Collection-TA0009

2. They Train Native Dogs to lure the prey out of the bushes

Lateral Movement-TA0008

https://hraf.yale.edu/dogs-and-the-hands-that-feed-the-utility-of-dogs-in-hunter-gatherer-societies/

LOLBAS and LOLBIN what exactly is it?

Living Off The Land Binaries And Scripts (LOLBAS) makes reference to any executable that is native to the operating system (OS) ,this includes scripts, softwares and libraries. LOLBAS attacks are often classified as fileless attacks because they don't necessarily require the adversary to place any additional files (executables, payloads, or artifacts) on the target.

LOLBIN Project

The phrase "Living off the land" was coined by Christopher Campbell & Matt Graeber at DerbyCon 3. The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

How do LOLBAS Attacks Work?

Living Off The Land attacks, as the term implies, is an attack that is carried out only using the operating system’s built-in tools; what is sometimes referred to as “Out-of-the-box” functionalities.

https://frontporchne.com/article/tanzanias-hadza-say-think-youre-lost/

The Connection

Just like the Hadza’s hunter-gatherers hunt down their prey armed with bows and arrows made exclusively of natural materials that are found in their environment; In the same way adversaries set out to exploit compromised systems by leveraging everything they can from their environments.

Why are LOLBAS attacks so effective?

Many “Living off the land” attacks are possible mainly because some native Windows tools are signed with trusted digital certificates. We can say that these certificates serve as proof of integrity and authenticity to application whitelisting tools.

Since "Living off the land" attacks don’t install malicious software, it is challenging for typical Application Controls systems to detect. In a sense,this makes it more difficult to tackle than other variants, because the executable being run is not one installed by the adversary.

Doesn’t this remind you of the Hadza’s Defense Evasion tactic we mentioned above?

Exploiting trust relationships

The effectiveness of LOLBAS attacks depends primarily on how skillful the adversary is at exploiting the trust relationship that exists between built-in tools and the operating system.

Can we just block these built-in tools?

You may ask, “Why don't we simply uninstall these tools then?” Well, quite frankly, it is more complicated than that. You see, some of these tools are administrative tools like PowerShell, cmd.exe, SysInternals etc. and without the system administrators simply would not be able to do their job effectively.

Let’s take a look at two examples of LOLBAS attacks.

Rundll32.exe & MSBuild

Rundll32.exe

• Is a process which executes dynamic-link library (DLL)

• A DLL is a module that contains functions and data that can be used by another module.

• Multiple applications can share such DLL files, even simultaneously.

• Rundll32.exe executes DLLs on their own and on-demand, rather than waiting for an application that depends on them to load them.

What are some common functions executed by Rundll32.exe?

• Storing information in system memory

• Accessing any device connected to your computer

• Transferring inputs and outputs from hardware like the keyboard and mouse

• Displaying windows and other objects for a graphical user interface

• Playing sounds using the computer's audio driver and hardware

Some other functions include:

How does the Rundll32.exe process work?

Applications may call Rundll32.exe each time that it needs to access a Windows library function.

1. Programmers run Rundll32.exe from within their application

The most basic syntax for using “rundll32.exe” is the following:

rundll32 <DLLname>

1. The command calls the Rundll32.exe application and tells it to provide the application with access to a specific component found inside the dll library stored in the System32 directory.

2. Programmers can then call specific functions found within those components.

Without the Rundll32.exe executable, applications would have to run their own application and load the DLL into it in order to call these advanced functions.

How can DLL’s be executed maliciously?

By replacing a required DLL file with an infected version and placing it within the search parameters of an application, the infected file will be called upon when the application loads, activating its malicious operations.

How is Rundll32 exploited?

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. [MITRE ATT&CK]

Example of a Malicious Rundll32.exe Campaign

Jorge Orchilles , CTO of Scythe. In his blog #ThreatThursday - Orangeworm shows us the step by step process of executing the dropper leveraging the MITRE ATT&CK sub-technique T1218.011 - Rundll32 under the technique, Signed Binary Proxy Execution.

Orangeworm: Signed Binary Proxy Execution

Orangeworm performs a significant amount of Discovery by leveraging built in tools such as arp, cmd, ipconfig, net, netstat, route, and systeminfo. We will do the same with Scythe’s adversary emulation plan, conscious that most of these tools will run without being blocked.

Persistence

Orangeworm achieves persistence through creating a new account and creating a new service that executes the malware on reboot.

MSBuild

Microsoft released MSBuild in 2003 as part of the . NET Framework.

How does MSBuild Work?

• Allows developers to compile and execute code where Visual Studio isn't installed.

• Can compile XML C# project files

• It’s “Tasks” method can execute a task written in managed code

• Enables code to be specified and compiled by MSBuild and executed in memory.

• “UsingTask” element defines the task that will be compiled.

https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly

How is MSBuild exploited?

Since the MSBuild is a trusted Microsoft binary that can take code and execute it in memory, it is often abused by adversaries in LOLBAS attacks in order to bypass application whitelisting solutions.

Executing malicious code with MSBuild

Final Thoughts I am confident that by now the connection between the Hadza tribe of Tanzania and the nature of LOLBAS attacks have proven beneficial at simplifying the understanding of said adversary’s tactics. Just to recap, hunter-gathers leverage everything from their land. They make use of hunting artifacts like bows and arrows crafted from native materials. Among many other things, they are skilled at exploiting the trust that exists between wild native dogs and wild game, to their advantage. Relatively, by implementing living off the land tactics, attackers no longer have the need to download third party tools, they are skilled at exploiting the trust relationship that exists between built-in tools and application whitelisting systems. By exploiting this trust they blend in with everyday system work and not raise additional alarms. Using fileless attack techniques and malicious scripts has been a common strategy for adversaries, one which is made easier by various, widely available tools. So it’s not shocking that every day more and more attackers are embracing living off the land attacks as their tactics.

References and Additional Reading

• Signed Binary Proxy Execution: Rundll32, Sub-technique T1218.011 - Enterprise | MITRE ATT&CK®

• A Deep Dive Into RUNDLL32.EXE

• Threat Actors Use MSBuild to Deliver RATs Filelessly

• New Research: Fileless Malware Attacks Surge by 900% and Cryptominers Make a Comeback, While Ransomware Attacks Decline

• AppLocker Bypass – MSBuild

• List of Rundll32 Commands in Windows 10

About the Author Nathali Cano is the Adversary Emulation Jr. at SCYTHE. She performs Red Team and Purple Team Exercises and supports the creation and curation of adversary emulation plans. She holds the MITRE ATT&CK Cyber Threat Intelligence (CTI) Certification. Nathali is passionate and committed to giving back to the community. She is the founder of Grace In Action, a non-profit organization in NJ that supports families and small businesses from low-resource communities. She is both a member of Women In Cybersecurity (WiCys) and Cybersecurity Non-Profit (CSNP). Nathali was a speaker at the WiCyS 2022 Conference.