Journey through Cybersecurity: Malware based on system components?
"Living off the Land" method and LOLBins in Windows
I have no idea why, but sometimes acronyms in English are so interesting to me that they draw me deeper...
In the previous post, I summarized my Windows Security review, mainly focusing on learning and reviewing PowerShell... and a few others. In the process, I came across the netsh.exe utility. Curiosity led me to find terms such as LotL and LOLBin. This is where the topic starts to get more complex.
The term "LotL" itself is interesting to me, hence the graphic.
Let's get to the point!
What is LotL?
Living Off the Land is a cybersecurity attack technique that uses tools and features built into the victim's operating system.
Attackers use these "natural resources" of the system to launch attacks or maintain access to a compromised system, often acting undetected.
The term itself has been around for almost 30 years, but in recent years this technique has been used more and more often.
Phenomenal, yet simple and effective
There are over 100 Windows system tools that can be used by cybercriminals for LotL... Therefore, everyone should at least know about this threat and no one should underestimate it! .
This method uses surprising simplicity, based on tools already present in the system, which makes it extremely effective in hiding from antivirus software - the malware uses commands built into the system!
What is LOLBAS/LOLBIN?
(Living Off The Land Binaries, Scripts, and Libraries) refers to non-malicious scripts, binaries, and libraries that are used by adversaries to perform malicious activities. These files are components of Microsoft solutions and are often signed by Microsoft.
What is netsh?
Neth.exe is a scripting tool whose commands are executed using the Windows command console (cmd.exe). This program allows you to view or modify your computer's network settings locally and remotely.
Netsh.exe, also allows you to execute a group of commands in batch processing. It also allows you to save configuration script in a text file.
netsh -c interface dump > c:\export.txt # Saves the network interface configuration to the file c:\export.txt
netsh interface ip set address name="wlan" source=static addr=192.168.0.3 mask=255.255.255.0 # Sets the static IP address for the "wlan" interface to 192.168.0.3 with a mask of 255.255.255.0
netsh interface ip set address name="wlan" gateway=192.168.0.2 gwmetric=0 # Sets the default gateway for the "wlan" interface to 192.168.0.2 with a gateway metric of 0
netsh interface ip set dns name="wlan" source=static addr=62.108.171.33 register=PRIMARY # Sets a static DNS address for the "wlan" interface to 62.108.171.33 and registers it as primary
netsh interface ip add dns name="wlan" addr=153.19.250.100 index=2 # Adds an additional DNS address (153.19.250.100) for the "wlan" interface with index 2
netsh interface ip set wins name="wlan" source=static addr=none # Sets the static WINS address for the "wlan" interface to none (disables WINS)
Netsh contexts - add functionality
When you use the "add helper" command, you will add an extension to netsh that allows you to execute additional commands defined in the provided DLL script.
This can be used to extend the functionality of netsh with new features that are not available in the standard installation.
Attention!
You need to be an administrator to load the .dll
netsh add helper c:\extra_functionallity.dll
https://attack.mitre.org/techniques/T1546/007/
https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts
Malicious library configuration
Knowing how Netsh works, we can create a script and compile it to the Dynamic Link Library. I do not describe how to do it because I don't know the C family, so I refer you to further materials (github) that I found and can be used.
https://github.com/gtworek/PSBits/tree/master/NetShRun
Demo:
https://www.linkedin.com/posts/grzegorztworek_lolbin-activity-7078740990542454784--ZK0/
Summary
I found it fascinating how over 100 Windows system tools can be manipulated for malicious purposes, emphasizing the critical need for awareness and vigilance among users. My aim is to foster awareness and encourage further learning, pointing readers towards resources for deeper understanding and defense strategies against these sophisticated attacks.