top of page
  • CSNP

Breaking Down LOLBAS Attacks With The Help Of Hunter-gatherers

This was originally published on February 4, 2022 on the Scythe blog page.

Author Nathali Cano

https://frontporchne.com/article/tanzanias-hadza-say-think-youre-lost/

A few weeks ago , while watching the Hadza: Last of the First documentary, I couldn’t help but think of LOBAS attacks.

You might be wondering; what do hunter-gatherers have to do with LOLBAS attacks? Well, my intention is to answer precisely that question while allowing you to see the connection for yourself as we simplify the nature of LOLBAS attacks with the help of hunter-gathers.


Hunter-gatherers

The term is used by anthropologists and archaeologists to simply describe that hunter-gatherers live off the land.


The Hadza Tribe


The Hadza are a modern hunter-gatherer tribe living in northern Tanzania. The Tribe’s entire survival depends primarily on how well they can leverage everything from their environment.

Everything they eat and drink is either hunted or foraged from their land. The Hadza women are in charge of gathering tubers, wild berries, greens and sometimes honey. The men frequently hunt large animals like zebras, giraffes and buffalo as well as small ones like birds and baboons.


Mapping the Hunter’s TTP’s to the MITRE ATT&CK Framework


The Hadza hunters of Tanzania are strategic and skilled in the art of attack. When groups of hunters set out to hunt, they follow a predefined set of tactics, techniques and procedures (TTP’s). These TTP’s play a crucial role. If each TTP is not carried out perfectly the chances of succeeding in bringing wild game back to the camp, are severely compromised.


Now that we covered our basics, I will attempt to map the TTP’s exercised by the Hadza tribe during a hunt, to the MITRE ATT&CK® Framework. As we discussed in my previous blog post Simplifying The MITRE ATT&CK Framework many of the tactics, techniques and procedures overlap with each other; Feel free to create (and share) your own mapping as we go over it.

https://geographical.co.uk/people/cultures/item/3598-the-hunter-gatherers-protecting-tanzania-s-forests-through-carbon-offset/


TTP’S

They Survey The Area ahead of time


Reconnaissance-TA0043

  1. They Construct Spying Bushes to hide and deceive their prey

  2. Defense Evasion-TA0005

  3. They Communicate Subtly while deciding the best angle of attack

Command and Control- TA0011

  1. They often use crafted Bow and Arrow as their hunting artifacts

Develop Capabilities-T1587

  1. They Shoot Poisoned Arrows at the prey

Execution-TA0002

  1. They Read The Animal's Tracks to locate it after it has fallen down. Collection-TA0009

  2. They Train Native Dogs to lure the prey out of the bushes

Lateral Movement-TA0008

https://hraf.yale.edu/dogs-and-the-hands-that-feed-the-utility-of-dogs-in-hunter-gatherer-societies/


LOLBAS and LOLBIN what exactly is it?


Living Off The Land Binaries And Scripts (LOLBAS) makes reference to any executable that is native to the operating system (OS) ,this includes scripts, softwares and libraries. LOLBAS attacks are often classified as fileless attacks because they don't necessarily require the adversary to place any additional files (executables, payloads, or artifacts) on the target.


LOLBIN Project


The phrase "Living off the land" was coined by Christopher Campbell & Matt Graeber at DerbyCon 3. The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.


How do LOLBAS Attacks Work?

Living Off The Land attacks, as the term implies, is an attack that is carried out only using the operating system’s built-in tools; what is sometimes referred to as “Out-of-the-box” functionalities.

https://frontporchne.com/article/tanzanias-hadza-say-think-youre-lost/


The Connection

Just like the Hadza’s hunter-gatherers hunt down their prey armed with bows and arrows made exclusively of natural materials that are found in their environment; In the same way adversaries set out to exploit compromised systems by leveraging everything they can from their environments.

Why are LOLBAS attacks so effective?


Many “Living off the land” attacks are possible mainly because some native Windows tools are signed with trusted digital certificates. We can say that these certificates serve as proof of integrity and authenticity to application whitelisting tools.


Since "Living off the land" attacks don’t install malicious software, it is challenging for typical Application Controls systems to detect. In a sense,this makes it more difficult to tackle than other variants, because the executable being run is not one installed by the adversary.


Doesn’t this remind you of the Hadza’s Defense Evasion tactic we mentioned above?


Exploiting trust relationships

The effectiveness of LOLBAS attacks depends primarily on how skillful the adversary is at exploiting the trust relationship that exists between built-in tools and the operating system.


Can we just block these built-in tools?


You may ask, “Why don't we simply uninstall these tools then?” Well, quite frankly, it is more complicated than that. You see, some of these tools are administrative tools like PowerShell, cmd.exe, SysInternals etc. and without the system administrators simply would not be able to do their job effectively.

Let’s take a look at two examples of LOLBAS attacks.


Rundll32.exe & MSBuild


Rundll32.exe

  • Is a process which executes dynamic-link library (DLL)

  • A DLL is a module that contains functions and data that can be used by another module.

  • Multiple applications can share such DLL files, even simultaneously.

  • Rundll32.exe executes DLLs on their own and on-demand, rather than waiting for an application that depends on them to load them.

What are some common functions executed by Rundll32.exe?


  • Storing information in system memory

  • Accessing any device connected to your computer

  • Transferring inputs and outputs from hardware like the keyboard and mouse

  • Displaying windows and other objects for a graphical user interface

  • Playing sounds using the computer's audio driver and hardware

Some other functions include:


How does the Rundll32.exe process work?


Applications may call Rundll32.exe each time that it needs to access a Windows library function.

  1. Programmers run Rundll32.exe from within their application

The most basic syntax for using “rundll32.exe” is the following:

rundll32 <DLLname>

  1. The command calls the Rundll32.exe application and tells it to provide the application with access to a specific component found inside the dll library stored in the System32 directory.

  2. Programmers can then call specific functions found within those components.

Without the Rundll32.exe executable, applications would have to run their own application and load the DLL into it in order to call these advanced functions.


How can DLL’s be executed maliciously?


By replacing a required DLL file with an infected version and placing it within the search parameters of an application, the infected file will be called upon when the application loads, activating its malicious operations.


How is Rundll32 exploited?

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. [MITRE ATT&CK]


Example of a Malicious Rundll32.exe Campaign


Jorge Orchilles , CTO of Scythe. In his blog #ThreatThursday - Orangeworm shows us the step by step process of executing the dropper leveraging the MITRE ATT&CK sub-technique T1218.011 - Rundll32 under the technique, Signed Binary Proxy Execution.