Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
LOLBins Demo: The Quieter Way
At the forefront of the cybersecurity scene lately is a cat-and-mouse game between red and blue teamers, where attackers build new tools, defenders develop EDR signatures to stop them, etc. Long gone are the days when red teamers could use loud payloads, such as msfvenom-generated executables, and remain undetected. They need to keep a low profile and get quieter to blend in with legitimate network traffic.
One ideal way to stay quiet is to use native binaries from within the operating system, aka LOLBins (Living Off The Land Binaries) to perform attacks. These binaries are normally considered trusted and signed by well-known vendors. But red teamers can leverage some of their additional functionalities beyond their intended use. Sometimes they can even carry out attacks without escalating privileges to an administrator level.
Below, I provide a demo to illustrate the importance of LOLBins for both red and blue teamers.
The binaries that we will demo meet the following requirements:
Here are the steps that I followed to achieve indirect command execution, reconnaissance and defense evasion before compiling the Windows binaries.
I use conhost to run a recon command, ipconfig, saving its output to a text file (conhost ipconfig > ipconfig.txt).
For context, conhost.exe is a native Windows binary that red teamers can use for indirect command execution, as it allows someone to run another executable. Thanks to this functionality, red teamers might manage to evade defensive countermeasures. In fact, if the target system is protected by a security policy blocking the direct execution of binaries considered to be potentially dangerous (e.g., PowerShell). Running the same executables indirectly could lead to circumventing this obstacle.
Analyzing the output file (shown below), you will see that the system supports two network adapters. This information could come in handy at a later stage of the attack chain to perform lateral movements.
I use wt.exe to run Calculator (calc.exe).
Windows Terminal (wt.exe) is a signed binary often available by default in Windows. Like conhost.exe, this binary can be used for indirect command execution and allows someone to run another executable.
Windows Problem Steps Recorder (PSR) can record screens and clicks for troubleshooting purposes. It can also record the target machine’s screen without generating a GUI, allowing one to gain recon on the target user’s environment.
As shown in the screenshot below, the command, C:Users\User>psr.exe /start /output C:test.zip /sc 1 /gui 0, starts an invisible screen capture, indicating the path to an output file.
The C:Users\User>psr.exe /stop command stops the screen capture and generates the output file in the specified directory.
Opening the zipped output file shown below reveals an HTML file recording of all the steps performed.
The command, C: \Users\User>CustomShellHost.exe, spawns an instance of File Explorer (previously known as Windows Explorer) on the target machine. This functionality can be useful to evade restricted environments, such as when File Explorer is disabled in kiosk mode.
The MSBUILD.exe command allows for the compiling of a Windows binary without using Visual Studio. Using this command, adversaries can compile malicious executables directly on the target machine.
As shown in the screenshot below, I leverage pshell.xml, available on GitHub, in combination with MSBUILD.exe to compile and spawn a PowerShell shell without directly running powershell.exe.
Native operating system binaries are important for both red and blue teamers. They help red teamers to better achieve their goals by keeping a low profile. Defenders can document and study the LOLBins present in their environment to better prevent and thwart attacks.
The security community is documenting and tracking new LOLBins with the LOLBAS project. This project documents both the discovered offensive capabilities and the related TTPs (Tactics, Techniques and Procedures) included in the MITRE ATT&CK framework.
Optiv can help organizations assess their monitoring capabilities and their security gaps through an offering including red and purple teaming engagement, security assessments, tabletop exercises and more. Learn about our capabilities here.
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
June 14, 2023
Spear phishing is a social engineering activity intended to simulate a realistic attack scenario with the intent of bypassing technical security....
The Source Zero Con video hub features virtual presentations and interactive workshops led by Optiv’s community of technical cybersecurity experts.
February 06, 2023
Optiv's Source Zero team examines how resetting computer accounts can introduce backdoors and bypasses into an Active Directory environment.
Let us know what you need, and we will have an Optiv professional contact you shortly.