top of page
  • Writer's pictureCSNP
    • Apr 4, 2022
    • 6 min read

Breaking Down LOLBAS Attacks With The Help Of Hunter-gatherers

This was originally published on February 4, 2022 on the Scythe blog page.

Author Nathali Cano

https://frontporchne.com/article/tanzanias-hadza-say-think-youre-lost/

A few weeks ago , while watching the Hadza: Last of the First documentary, I couldn’t help but think of LOBAS attacks.

You might be wondering; what do hunter-gatherers have to do with LOLBAS attacks? Well, my intention is to answer precisely that question while allowing you to see the connection for yourself as we simplify the nature of LOLBAS attacks with the help of hunter-gathers.


Hunter-gatherers

The term is used by anthropologists and archaeologists to simply describe that hunter-gatherers live off the land.


The Hadza Tribe


The Hadza are a modern hunter-gatherer tribe living in northern Tanzania. The Tribe’s entire survival depends primarily on how well they can leverage everything from their environment.

Everything they eat and drink is either hunted or foraged from their land. The Hadza women are in charge of gathering tubers, wild berries, greens and sometimes honey. The men frequently hunt large animals like zebras, giraffes and buffalo as well as small ones like birds and baboons.


Mapping the Hunter’s TTP’s to the MITRE ATT&CK Framework


The Hadza hunters of Tanzania are strategic and skilled in the art of attack. When groups of hunters set out to hunt, they follow a predefined set of tactics, techniques and procedures (TTP’s). These TTP’s play a crucial role. If each TTP is not carried out perfectly the chances of succeeding in bringing wild game back to the camp, are severely compromised.


Now that we covered our basics, I will attempt to map the TTP’s exercised by the Hadza tribe during a hunt, to the MITRE ATT&CK® Framework. As we discussed in my previous blog post Simplifying The MITRE ATT&CK Framework many of the tactics, techniques and procedures overlap with each other; Feel free to create (and share) your own mapping as we go over it.

https://geographical.co.uk/people/cultures/item/3598-the-hunter-gatherers-protecting-tanzania-s-forests-through-carbon-offset/


TTP’S

They Survey The Area ahead of time


Reconnaissance-TA0043

  1. They Construct Spying Bushes to hide and deceive their prey

  2. Defense Evasion-TA0005

  3. They Communicate Subtly while deciding the best angle of attack

Command and Control- TA0011

  1. They often use crafted Bow and Arrow as their hunting artifacts

Develop Capabilities-T1587

  1. They Shoot Poisoned Arrows at the prey

Execution-TA0002

  1. They Read The Animal's Tracks to locate it after it has fallen down. Collection-TA0009

  2. They Train Native Dogs to lure the prey out of the bushes

Lateral Movement-TA0008

https://hraf.yale.edu/dogs-and-the-hands-that-feed-the-utility-of-dogs-in-hunter-gatherer-societies/


LOLBAS and LOLBIN what exactly is it?


Living Off The Land Binaries And Scripts (LOLBAS) makes reference to any executable that is native to the operating system (OS) ,this includes scripts, softwares and libraries. LOLBAS attacks are often classified as fileless attacks because they don't necessarily require the adversary to place any additional files (executables, payloads, or artifacts) on the target.


LOLBIN Project


The phrase "Living off the land" was coined by Christopher Campbell & Matt Graeber at DerbyCon 3. The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.


How do LOLBAS Attacks Work?

Living Off The Land attacks, as the term implies, is an attack that is carried out only using the operating system’s built-in tools; what is sometimes referred to as “Out-of-the-box” functionalities.

https://frontporchne.com/article/tanzanias-hadza-say-think-youre-lost/


The Connection

Just like the Hadza’s hunter-gatherers hunt down their prey armed with bows and arrows made exclusively of natural materials that are found in their environment; In the same way adversaries set out to exploit compromised systems by leveraging everything they can from their environments.

Why are LOLBAS attacks so effective?


Many “Living off the land” attacks are possible mainly because some native Windows tools are signed with trusted digital certificates. We can say that these certificates serve as proof of integrity and authenticity to application whitelisting tools.


Since "Living off the land" attacks don’t install malicious software, it is challenging for typical Application Controls systems to detect. In a sense,this makes it more difficult to tackle than other variants, because the executable being run is not one installed by the adversary.


Doesn’t this remind you of the Hadza’s Defense Evasion tactic we mentioned above?


Exploiting trust relationships

The effectiveness of LOLBAS attacks depends primarily on how skillful the adversary is at exploiting the trust relationship that exists between built-in tools and the operating system.


Can we just block these built-in tools?


You may ask, “Why don't we simply uninstall these tools then?” Well, quite frankly, it is more complicated than that. You see, some of these tools are administrative tools like PowerShell, cmd.exe, SysInternals etc. and without the system administrators simply would not be able to do their job effectively.

Let’s take a look at two examples of LOLBAS attacks.


Rundll32.exe & MSBuild


Rundll32.exe

  • Is a process which executes dynamic-link library (DLL)

  • A DLL is a module that contains functions and data that can be used by another module.