So today we'll try something a little bit different yet again I got David Brown with me he just finished a pretty interesting I think
research paper with STI is an STI graduate student and he wrote about preventing and detecting living off the land attacks certainly a Hot Topic so David could you please introduce yourself.
Yeah so my name is David Brown happy to be with you here today so I just recently finished my last course with a Sans technology Institute so,
on my way towards graduating so it's very fulfilling program.
I managed it for a private foundation so it's a little bit about my background,
living off the land attacks at scold is always talking about this and he mentioned that this year as part of the talk that we did at RSA,
heart attack Dora are because you're always have to deal with binary said are actually normal and on the system can you tell us a little bit more about this.
Yeah so living off the land attacks,
are growing and they're becoming more and more prevalent so basically attackers have figured out why put wide download malware to your machine when we can just directly use built-in Windows applications,
two to advance the attack and to compromise your network so attackers are are getting smarter about this they're basically saying hey,
you know antivirus providers are not going to flag Powershell as malicious right or.
RMS HTA these built-in Windows tools are not going to flag them as malicious so why don't we use these tools.
Some of the new behavioral based antivirus you know like Windows ATP Defender ATP have gotten better at spotting some of these attacks because they're not just looking at the underlying application but they're looking,
how those applications are behaving but this is still a very big deal and we have a long ways to go before we're Totally Secure against these living off the land attack.
Yeah so one tool that comes to mind here is bits admin or it's a valid tool that Windows needs to download updates but the bad guys are also often using it to download malware and that's of course hard
I really took the time to serve how can a Defender.
For at these attacks that are becoming more and more prevalent how can we detect them and how can we differentiate them between,
normal administrative use of the applications versus malicious use and is there a way to separate them out to allow the administrators,
and the underlining Windows operating system to use the tools,
but then stop the attackers from using them and also alert when the attackers try to use them so that was kind of the goal of the research,
I think you got a demo for us to actually show us how this works and realized so I have a virtual machine here I'm just using VMware Fusion but basically it's what I did on this virtual machine was I
I created three different users so one user.
Is kind of what you call a regular user there's no app Locker nothing they're just.
You know regular user based on you know how Windows kind of comes out of the box,
and how they would be exposed to the various living off the land attacks.
There's another user who has the default applocker rules enabled and for those of you who aren't familiar so applocker is Microsoft built-in application whitelisting tool.
And basically they have default rules that you can turn on which trust certain things and don't trust other things but by default as you would imagine,
Microsoft's products that are in the windows directory and program files directory are trusted,
this is the case with a lot of application whitelisting deployments where Microsoft products will just be trusted,
and thus the living off the land attacks are able to take place because these tools.
Are needed for administrators or needed for the operating system and attackers know that so then the third user that I set up on this virtual machine.
Is one where return I turned on application whitelisting you rules but made them user aware so basically,
it knows if if the operating system or an administrator is trying to use this tool versus regular user,
and I kind of operate under the premise of the attackers going to be attacking in the context of the regular user whose,
who's opening that attachment or browsing that website and.
If we can block that attack and alert that something is actually taking place than the defender can can be aware and also intervene.
So a blocker understands who is using a tool but doesn't restrict what you're doing with the tool.
So you have so yes no kind of thing you got it so based on who is using the tool it can make different decisions on what to do and,
whether to generate alerts or whether to block it outright or what not.
So the first one I'll do no applocker so this is the user who doesn't have a blocker.
Enabled so let's go ahead and pop into this virtual machine.
So in my research paper which I would encourage you to to look up.
It's called preventing living off the land attacks and I go into a number of different attacks for living off the land I could have used hundreds of different attacks I narrowed it down to three primary categories in the paper.
But the living off the land Attack rules that I created an App Locker are meant to cover a very wide range of living off the land attacks.
Let's go ahead and do just a simple attack here so one attack that we've seen out in the wild is when attackers will email or get someone to download an HT a file so,
HCA files run when you double click on it it executes a trusted windows program in the background.
And this this simple one here basically just launches Powershell and begins pinging the internal host.
An attacker wouldn't do that but if you're in an environment you can imagine that,
if one of your users download 6hj file and executes it and then.
Any Powershell command can then run in the background you know that's kind of what Defenders want to protect against though as the regular user with no app Locker,
when I launch it you can see that no problem that launched Powershell it's it's pinging the internal host.
Sorry a proof of concept here to see that you can execute code yeah and in my paper I go through some more malicious examples than just pinging the malicious host I go through some privilege escalation examples,
and various things like that just for for purposes of this just shows some simpler attacks to kind of show.
When you turn on the default applocker rules let's go ahead and log in as that user.
So again we're going to we're going to use that same same exploit code so assuming that the user downloads or is emailed in HTA file.
So again with the default app Locker rules in place again no problem executing interesting thing about this is the default applocker rules are supposed to stop.
Unknown script execution and you can see that I just executed a script through Powershell that you would think should be blocked by the default rules that say that they block unknown script execution but we were able to bypass that.
By packaging the script into an HTA file.
So then if I go onto my user who has the living off the land rules that I created which are user aware rules.
Designed to prevent living off the land attacks.
Alright so here I am on the.
As the user who has the living off the land rules enabled and I'm going to.
Again just assumed this file was downloaded from the Internet or emailed and then the user tries to execute that application.
So you can see in this instance living off the land rules that I defined within applocker since their user aware.
They say hey user is trying to execute msh ta and we're going to block it not only does it block it but then it generates a log entry and if you're watching those logs or sending them off to.
To Splunk or something like that then you can generate alerts off of those logs so the defender not only stopped the attack from happening but but knows that,
that it built in Windows application was potentially misused.
So that's kind of the design behind behind the research.
That's really cool so the block the attack and alerted the administrator now if this user would have administrative privileges could there still be something done that it doesn't work with,
run ass or does this assume that the user does not have administrative privileges yeah I said that the whole security behind this is basically.
Trying to operate on the best practices that users do not log in and do their daily work as an administrator if you,
if you are an administrator then you could you could bypass all of these rules now you could have a blocker.
Block these tools for administrators to but a lot of these tools like run dll 32.
Powershell a lot of these different tools.
Administrators use legitimately and so you don't actually want to block those tools for an administrator see what kind of undermine.
A lot of the functionality of windows so.
Yeah the design definitely hinges on logging in as a regular user and then Elevate in your permissions if you want to do something as an administrator.
Right now is that the sort of project escalation attacks probably would be more difficult here or because they often require on running some.
Tool on the system yeah exactly if you were trying to do a privilege escalation so getting your tool to run.
In the context of the regular user that's what we're trying to stop so if you're trying to use Powershell for example to do a privilege escalation attack,
well Powershell won't run as the regular user so you can't get the privilege escalation and then the defender is also alerted that that attack was prevented.
That's cool I really like it real nice work there how long did it take you to put everything together to,
get it to work oh goodness that so the rules took a very long time to come up with all the rules because if you if you pull up the logos
the boss project or if you pull out.
The Mitre attack framework there's there's hundreds of built-in Windows programs that attackers,
could use to try to bypass whitelisting to install ransomware on the machine did you privilege escalation and so,
really I tried to design rules that would focus on all of the known attacks and basically make it to where the user could do anything that the user currently does which is you know.
Download whatever they want and hoping whatever attachment they receive and try to protect the user from that living off the land attack while still letting the administrator and.
Windows operating system do what do what it needs to do so.
Be nice do you run these rules currently in a production setup or yeah absolutely so I designed the rules and then testing them and multiple,
environments and tested them in audit mode to see what kind of impact they would have on the regular users and then I tested them and,
forward deployed deployed known as well so this action ice so you can run them in audit mode so you just get the alerts if yeah if you're a little bit
worried that this guy David there doesn't really know what he's doing and blocks tools that you need in your environment absolutely so one of the coolest things about a blockers you can
you can set the rules to audit only and basically then you can see all the activity and all the alerts to say oh users are running.
Cmd.exe a lot and you can kind of investigate why are they running this a lot is that legitimate in my environment or is the program being abused.
And so once you get comfortable kind of fine-tuning the tools and it's a balance right you have to.
You have to balance how how tightly am I going to secure the Microsoft binaries versus.
The functionality for the end-user and what kind of impact will that have on the user experience and so audit allows you to strike that right balance.
You're under any sort of power users that cause false positives that wrote their own little scripts and such to automate certain tasks,
yeah I didn't in the in the two environments that I was auditing on but I'm sure in larger environments I'm sure you would run into.
All sorts of users who are trying to
do neat little things with with Powershell or whatever and you could.
Allow Powershell for for that user if you wanted to or you could just kind of say hey.
I know you love Powershell but sorry we gotta take it away cuz it's being abused out in the wild quite extensively so yeah one other side note on that is their regular user you could take away power shell,
and you could give them a second user that has.
Permissions to run some of these tools and they would just do a run as so that way if they accidentally opened an attachment or downloaded something that tried like an HJ file that whatever that tried to run a malicious script it would be block,
but then if they were doing their legitimate work they do a run as on on The Trusted scripts that they've written or something like that.
That is a good point now I'm going to add your else your paper and such where can people find the rules of a part of the paper or have some references there,
yeah I put all the rules into the appendix on the paper so,
you could go to implement those rules if you want and start out an audit mode so that you can kind of see how it how it functions in your environment.
So starting audit mode thanks thanks a lot for this demo I really liked it so great work there and could talk to you thanks great thank you.
So yeah let me know what you think about these little videos ever used to have these STI student interviews at the end of the podcast but
with the YouTube and video format the very able to have these demos included so let me know if you like it and we hopefully will,
post more of these videos here to this channel so just subscribe to it thanks and bye.
