A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Breadcrumb Home Insights Source Zero LOLBins Demo: The Quieter Way August 25, 2023 LOLBins Demo: The Quieter Way At the forefront of the cybersecurity scene lately is a cat-and-mouse game between red and blue teamers, where attackers build new tools, defenders develop EDR signatures to stop them, etc. Long gone are the days when red teamers could use loud payloads, such as msfvenom-generated executables, and remain undetected. They need to keep a low profile and get quieter to blend in with legitimate network traffic. One ideal way to stay quiet is to use native binaries from within the operating system, aka LOLBins (Living Off The Land Binaries) to perform attacks. These binaries are normally considered trusted and signed by well-known vendors. But red teamers can leverage some of their additional functionalities beyond their intended use. Sometimes they can even carry out attacks without escalating privileges to an administrator level. Below, I provide a demo to illustrate the importance of LOLBins for both red and blue teamers. Hands-On Demo The binaries that we will demo meet the following requirements: LOLBins that allow attackers downloading/writing to disk/executing permissions Less known to the public Pre-installed in Windows Require ordinary user permissions Here are the steps that I followed to achieve indirect command execution, reconnaissance and defense evasion before compiling the Windows binaries. Indirect Command Execution I use conhost to run a recon command, ipconfig, saving its output to a text file (conhost ipconfig > ipconfig.txt). For context, conhost.exe is a native Windows binary that red teamers can use for indirect command execution, as it allows someone to run another executable. Thanks to this functionality, red teamers might manage to evade defensive countermeasures. In fact, if the target system is protected by a security policy blocking the direct execution of binaries considered to be potentially dangerous (e.g., PowerShell). Running the same executables indirectly could lead to circumventing this obstacle. Analyzing the output file (shown below), you will see that the system supports two network adapters. This information could come in handy at a later stage of the attack chain to perform lateral movements. Image Figure 1: Output file showing two network adapters I use wt.exe to run Calculator (calc.exe). Windows Terminal (wt.exe) is a signed binary often available by default in Windows. Like conhost.exe, this binary can be used for indirect command execution and allows someone to run another executable. Image Figure 2: Running Calculator Reconnaissance Windows Problem Steps Recorder (PSR) can record screens and clicks for troubleshooting purposes. It can also record the target machine’s screen without generating a GUI, allowing one to gain recon on the target user’s environment. As shown in the screenshot below, the command, C:Users\User>psr.exe /start /output C:test.zip /sc 1 /gui 0, starts an invisible screen capture, indicating the path to an output file. The C:Users\User>psr.exe /stop command stops the screen capture and generates the output file in the specified directory. Image Figure 3: PSR start and stop commands Opening the zipped output file shown below reveals an HTML file recording of all the steps performed. Image Figure 4: Locating the recording Defense Evasion The command, C: \Users\User>CustomShellHost.exe, spawns an instance of File Explorer (previously known as Windows Explorer) on the target machine. This functionality can be useful to evade restricted environments, such as when File Explorer is disabled in kiosk mode. Image Figure 5: Spawning File Explorer Compiling Windows Binaries The MSBUILD.exe command allows for the compiling of a Windows binary without using Visual Studio. Using this command, adversaries can compile malicious executables directly on the target machine. As shown in the screenshot below, I leverage pshell.xml, available on GitHub, in combination with MSBUILD.exe to compile and spawn a PowerShell shell without directly running powershell.exe. Image Figure 6: Spawning a PowerShell prompt Conclusions Native operating system binaries are important for both red and blue teamers. They help red teamers to better achieve their goals by keeping a low profile. Defenders can document and study the LOLBins present in their environment to better prevent and thwart attacks. The security community is documenting and tracking new LOLBins with the LOLBAS project. This project documents both the discovered offensive capabilities and the related TTPs (Tactics, Techniques and Procedures) included in the MITRE ATT&CK framework. Optiv can help organizations assess their monitoring capabilities and their security gaps through an offering including red and purple teaming engagement, security assessments, tabletop exercises and more. Learn about our capabilities here. By: Mattia Campagnano Consultant II | Optiv Mattia Campagnano has over 16 years of experience in penetration testing and tech support environments. His experience ranges from small businesses to Fortune 500 corporations in a multitude of industries (healthcare, financial services, local/State government, software development, IT, etc.). His areas of expertise include red teaming/adversarial simulations, network penetration testing, web application penetration testing, spear phishing, vishing, vulnerability management, wireless and mobile application penetration testing assessments. Share: Red Team Source Zero® LOLBins ethical hacking Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Optiv Security: Secure greatness.® Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Would you like to speak to an advisor? How can we help you today? Image E-Book Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation Download Now Image Events Register for an Upcoming OptivCon Learn More Ready to speak to an Optiv expert to discuss your security needs?