The document discusses defending against attacks that use legitimate operating system tools and binaries ("living off the land") through defense-in-depth strategies. It recommends: 1) application whitelisting policies for high-risk binaries, 2) blocking child processes for those binaries, and 3) restrictive firewall policies. It also provides an overview of exploit protection techniques and tips for maintaining system visibility and inventory records.

1. DEFENDING AGAINST THE
DARK ARTS OF LOLBINS
Brent Muir - 2020

2. 1. LOLBINS / LOLBAS
2. LOLBINS in recent Campaigns
3. Ingress
4. External Threat Vectors
5. Defence-in-depth
i. Application Whitelisting (AppLocker)
ii. Exploit Guard
iii. Host-based Firewall
OVERVIEW

3. BIOGRAPHY
 Working in the Cyber Security field for 10+ years, conducting investigations, incident response, etc.
 Currently global head of Digital Forensics & Incident Response (DFIR) for Standard Chartered Bank
 Malware, hacking, DDoS, etc.
 Worked in Australian policing agency conducting digital forensic investigations
 Fraud, Drugs, Homicide, etc.
 Worked in Australia’s largest financial regulator (ASIC), leading the national forensic investigation team
 Fraud, insider trading, crypto currencies, darkweb/darknet OSINT, etc.
 Master IT Security, Queensland University of Technology
 Bachelor Justice Studies (Criminology) with Honours, Queensland University of Technology
 President of High Technology Crime Investigation Association (Australian Chapter)

4. LOLBINS / LOLBAS - Living Off the Land BINaries And Scripts
A LOLBin/Lib/Script must:
 Be a Microsoft-signed file, either native to the OS or downloaded from
Microsoft.
 Have extra "unexpected" functionality. It is not interesting to document
intended use cases.
 Exceptions are application whitelisting bypasses
 Have functionality that would be useful to an APT or red team
High-Risk Binary:
 Microsoft-signed file, either native to the OS or downloaded from
Microsoft.
 (Ab)used as part of an attack path.

5. LOLBINS in Recent Campaigns

6. LOLBINS in Recent Campaigns
ESET – Operation Interception - 2020

7. LOLBINS in Recent Campaigns
Carbon Black - New Attack Combines TinyPOS With Living-off-the-Land Techniques for Scraping Credit Card Data

8. LOLBINS in Recent Campaigns
Microsoft - Latest Astaroth living-off-the-land attacks are even more invisible but not less observable - 2020

9. Ingress - “The act of entering something”

10. Ingress - “The act of entering something”

11. External Threat Vectors
text
Vector Sub-vector Protective Controls Detective Controls
Internet Drive-by downloads • Web proxy
• Domain reputation
• IPS
• Isolated/sandboxed
browser
• proxy alerts when blacklisted
domain attempts
• DNS logs
• IOC hits (retro hunt)
• IDS
Internet Public infrastructure /
Websites / Brute
force / Password
spraying
• Patch management
• WAF
• MFA
• Firewall
• WAF alerting
• Vulnerability scans
• Excessive failed logins
• Events (MFA, FW, etc.)
Email Malicious
attachments
• Email sec gateway (AV,
sandboxing, link/domain
reputation)
• Macro blocking
• Child-process blocking
• Email logs
• Event logs
Email Phishing links • Email sec gateway
• Link/domain reputation
• Email logs
Peripheral devices HID • GPO HW installation
blocking
• Event logs
Peripheral devices Storage Media (USB,
Optical, etc.)
• GPO blocking
• AV scanning
• Event logs

12. Defence-in-depth
Layered Security Controls:
1. Application Whitelisting (AppLocker)
2. Exploit Guard
3. Host-based Firewall

13. Application Whitelisting (AppLocker)
Rule coverage includes:
 Executables
 DLLs
 Microsoft Installers
 Scripts (e.g. batch, PowerShell, VBscript, JavaScript)
 Packaged Apps (Windows Store Apps)

14. Application Whitelisting (AppLocker)

15. Application Whitelisting (AppLocker)

16. Application Whitelisting (AppLocker)
C:WindowsWinSxS
PowerShell:
 C:WindowsSysWOW64WindowsPowerShellv1.0
 C:WindowsWinSxSamd64_microsoft-windows-powershell-
exe_31bf3856ad364e35_10.0.18362.1_none_3b736eaf7f6b1264

17. Application Whitelisting (AppLocker)
AppLocker Recommendations:
1. Build policies per-LOLBIN binary (Publisher-based)
2. Restrict high-risk binaries to users/groups who require functionality
If binaries are not signed:
1. Request the software publisher sign their files (it’s 2020 after all!)

18. Exploit Guard

19. Exploit Guard
Code Integrity Guard
 Ensures that all binaries loaded into a process are digitally signed by Microsoft.
Arbitrary Code Guard
 Helps protect against a malicious attacker loading the code of their choice into memory
through a memory safety vulnerability and being able to execute that code.
Block Low Integrity Images
 Prevents the application from loading files which are untrusted, typically because they have
been downloaded from the internet from a sandboxed browser.
Do Not Allow Child Processes
 Blocks binaries from launching child processes.
Disable Win32k system calls
 This mitigation prevents calls into win32k.sys by blocking a thread from converting itself into a
GUI thread – this will kill any GUI application, so be careful with this option.

20. Exploit Guard
Pros:
 Can be configured in audit-only mode for additional visibility, without the
blocking capability
Cons:
 when not configured in System settings, needs to be configured per-binary
name (which is ineffective, as binaries can be renamed)
Suggestion:
 Look at high-risk binaries and develop additional hardening polices (either
blocking or audit-only)
 Ingest relevant logs
 Create use-cases for notable events

21. Exploit Guard

22. Exploit Guard
ExploitGuard Recommendations:
1. Build policies per-LOLBIN binary
2. Block the ability to create child processes for high-risk binaries

23. Host-based Firewall

24. Host-based Firewall
Firewall Recommendations:
1. Deny all outbound traffic, without a specific rule
2. Deny all inbound traffic, without a specific rule
3. Build rules per-binary (IP, port, protocol)
4. Onboard logs when firewall rules are created/deleted

25. Helpful Tips
1. Remove unnecessary components of your operating
environments
2. Configure security controls granularly
 per-business/user requirements
3. Ensure visibility into endpoints and network
4. Maintain accurate inventory records (HW, SW, etc.)

27. References
1. Windows - https://lolbas-project.github.io/
2. UNIX - https://gtfobins.github.io/
3. https://securityintelligence.com/news/cybersecurity-attacks-legitimate-services/
4. https://twitter.com/mohammadaskar2/status/1301263551638761477?s=19
5. https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/determine-the-actual-size-of-the-winsxs-folder
6. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection?ocid=cx-
blog-mmpc
7. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/exploit-protection-reference
8. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2020/08/06094905/Kaspersky_Incident-Response-
Analyst_2020.pdf
9. https://github.com/LOLBAS-Project/LOLBAS#criteria
10. https://github.com/eset/malware-ioc/tree/master/interception
11. https://www.carbonblack.com/blog/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-
scraping-credit-card-data/
12. https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
13. https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-
not-less-observable/

28. text