The document discusses defending against attacks that use legitimate operating system tools and binaries ("living off the land") through defense-in-depth strategies. It recommends: 1) application whitelisting policies for high-risk binaries, 2) blocking child processes for those binaries, and 3) restrictive firewall policies. It also provides an overview of exploit protection techniques and tips for maintaining system visibility and inventory records.
2. 1. LOLBINS / LOLBAS
2. LOLBINS in recent Campaigns
3. Ingress
4. External Threat Vectors
5. Defence-in-depth
i. Application Whitelisting (AppLocker)
ii. Exploit Guard
iii. Host-based Firewall
OVERVIEW
3. BIOGRAPHY
Working in the Cyber Security field for 10+ years, conducting investigations, incident response, etc.
Currently global head of Digital Forensics & Incident Response (DFIR) for Standard Chartered Bank
Malware, hacking, DDoS, etc.
Worked in Australian policing agency conducting digital forensic investigations
Fraud, Drugs, Homicide, etc.
Worked in Australia’s largest financial regulator (ASIC), leading the national forensic investigation team
Fraud, insider trading, crypto currencies, darkweb/darknet OSINT, etc.
Master IT Security, Queensland University of Technology
Bachelor Justice Studies (Criminology) with Honours, Queensland University of Technology
President of High Technology Crime Investigation Association (Australian Chapter)
4. LOLBINS / LOLBAS - Living Off the Land BINaries And Scripts
A LOLBin/Lib/Script must:
Be a Microsoft-signed file, either native to the OS or downloaded from
Microsoft.
Have extra "unexpected" functionality. It is not interesting to document
intended use cases.
Exceptions are application whitelisting bypasses
Have functionality that would be useful to an APT or red team
High-Risk Binary:
Microsoft-signed file, either native to the OS or downloaded from
Microsoft.
(Ab)used as part of an attack path.
17. Application Whitelisting (AppLocker)
AppLocker Recommendations:
1. Build policies per-LOLBIN binary (Publisher-based)
2. Restrict high-risk binaries to users/groups who require functionality
If binaries are not signed:
1. Request the software publisher sign their files (it’s 2020 after all!)
19. Exploit Guard
Code Integrity Guard
Ensures that all binaries loaded into a process are digitally signed by Microsoft.
Arbitrary Code Guard
Helps protect against a malicious attacker loading the code of their choice into memory
through a memory safety vulnerability and being able to execute that code.
Block Low Integrity Images
Prevents the application from loading files which are untrusted, typically because they have
been downloaded from the internet from a sandboxed browser.
Do Not Allow Child Processes
Blocks binaries from launching child processes.
Disable Win32k system calls
This mitigation prevents calls into win32k.sys by blocking a thread from converting itself into a
GUI thread – this will kill any GUI application, so be careful with this option.
20. Exploit Guard
Pros:
Can be configured in audit-only mode for additional visibility, without the
blocking capability
Cons:
when not configured in System settings, needs to be configured per-binary
name (which is ineffective, as binaries can be renamed)
Suggestion:
Look at high-risk binaries and develop additional hardening polices (either
blocking or audit-only)
Ingest relevant logs
Create use-cases for notable events
24. Host-based Firewall
Firewall Recommendations:
1. Deny all outbound traffic, without a specific rule
2. Deny all inbound traffic, without a specific rule
3. Build rules per-binary (IP, port, protocol)
4. Onboard logs when firewall rules are created/deleted
25. Helpful Tips
1. Remove unnecessary components of your operating
environments
2. Configure security controls granularly
per-business/user requirements
3. Ensure visibility into endpoints and network
4. Maintain accurate inventory records (HW, SW, etc.)