LOLBins Demo: The Quieter Way

At the forefront of the cybersecurity scene lately is a cat-and-mouse game between red and blue teamers, where attackers build new tools, defenders develop EDR signatures to stop them, etc. Long gone are the days when red teamers could use loud payloads, such as msfvenom-generated executables, and remain undetected. They need to keep a low profile and get quieter to blend in with legitimate network traffic.

 

One ideal way to stay quiet is to use native binaries from within the operating system, aka LOLBins (Living Off The Land Binaries) to perform attacks. These binaries are normally considered trusted and signed by well-known vendors. But red teamers can leverage some of their additional functionalities beyond their intended use. Sometimes they can even carry out attacks without escalating privileges to an administrator level.

 

Below, I provide a demo to illustrate the importance of LOLBins for both red and blue teamers.

 

 

Hands-On Demo

The binaries that we will demo meet the following requirements:

 

  • LOLBins that allow attackers downloading/writing to disk/executing permissions
  • Less known to the public
  • Pre-installed in Windows
  • Require ordinary user permissions

 

Here are the steps that I followed to achieve indirect command execution, reconnaissance and defense evasion before compiling the Windows binaries.

 

Indirect Command Execution

I use conhost to run a recon command, ipconfig, saving its output to a text file (conhost ipconfig > ipconfig.txt).

 

For context, conhost.exe is a native Windows binary that red teamers can use for indirect command execution, as it allows someone to run another executable. Thanks to this functionality, red teamers might manage to evade defensive countermeasures. In fact, if the target system is protected by a security policy blocking the direct execution of binaries considered to be potentially dangerous (e.g., PowerShell). Running the same executables indirectly could lead to circumventing this obstacle.

 

Analyzing the output file (shown below), you will see that the system supports two network adapters. This information could come in handy at a later stage of the attack chain to perform lateral movements.

 

Image
LOLBins_img1.png

Figure 1: Output file showing two network adapters

 

I use wt.exe to run Calculator (calc.exe).

 

Windows Terminal (wt.exe) is a signed binary often available by default in Windows. Like conhost.exe, this binary can be used for indirect command execution and allows someone to run another executable.

 

Image
LOLBins_img2.jpg

Figure 2: Running Calculator

 

Reconnaissance

Windows Problem Steps Recorder (PSR) can record screens and clicks for troubleshooting purposes. It can also record the target machine’s screen without generating a GUI, allowing one to gain recon on the target user’s environment.

 

As shown in the screenshot below, the command, C:Users\User>psr.exe /start /output C:test.zip /sc 1 /gui 0, starts an invisible screen capture, indicating the path to an output file.

 

The C:Users\User>psr.exe /stop command stops the screen capture and generates the output file in the specified directory.

 

Image
LOLBins_img3.png

Figure 3: PSR start and stop commands

 

Opening the zipped output file shown below reveals an HTML file recording of all the steps performed.

 

Image
LOLBins_img4.jpg

Figure 4: Locating the recording

 

Defense Evasion

The command, C: \Users\User>CustomShellHost.exe, spawns an instance of File Explorer (previously known as Windows Explorer) on the target machine. This functionality can be useful to evade restricted environments, such as when File Explorer is disabled in kiosk mode.

 

Image
LOLBins_img6.jpg

Figure 5: Spawning File Explorer

 

Compiling Windows Binaries

The MSBUILD.exe command allows for the compiling of a Windows binary without using Visual Studio. Using this command, adversaries can compile malicious executables directly on the target machine.

 

As shown in the screenshot below, I leverage pshell.xml, available on GitHub, in combination with MSBUILD.exe to compile and spawn a PowerShell shell without directly running powershell.exe.

 

Image
LOLBins_img5.jpg

Figure 6: Spawning a PowerShell prompt

 

 

Conclusions

Native operating system binaries are important for both red and blue teamers. They help red teamers to better achieve their goals by keeping a low profile. Defenders can document and study the LOLBins present in their environment to better prevent and thwart attacks.

 

The security community is documenting and tracking new LOLBins with the LOLBAS project. This project documents both the discovered offensive capabilities and the related TTPs (Tactics, Techniques and Procedures) included in the MITRE ATT&CK framework.

 

Optiv can help organizations assess their monitoring capabilities and their security gaps through an offering including red and purple teaming engagement, security assessments, tabletop exercises and more. Learn about our capabilities here.

Mattia Campagnano
Consultant II | Optiv
Mattia Campagnano has over 16 years of experience in penetration testing and tech support environments. His experience ranges from small businesses to Fortune 500 corporations in a multitude of industries (healthcare, financial services, local/State government, software development, IT, etc.). His areas of expertise include red teaming/adversarial simulations, network penetration testing, web application penetration testing, spear phishing, vishing, vulnerability management, wireless and mobile application penetration testing assessments.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.