There is increased discussion around threats that adopt so called “living off the land” tactics. Attackers are increasingly making use of tools already installed on targeted computers or are running simple scripts and shellcode directly in memory. Creating fewer new files on the hard disk, or being completely fileless, means less chance of being detected by traditional security tools and therefore minimizes the risk of an attack being blocked. Using simple and clean dual-use tools allows the attacker to hide in plain sight among legitimate system administration work.

[click_to_tweet:1]

Living off the land tactics are increasingly being adopted by cyber criminals and are used in almost every targeted attack.

There are four main categories which fall under the umbrella of living off the land:

Dual-use tools, such as PsExec, which are used by the attacker

Memory only threats, such as the Code Red worm

Fileless persistence, such as VBS in the registry

Non-PE file attacks, such as Office documents with macros or scripts

We also see slight variations on these tactics, such as using BITSAdmin in macros to download a malicious payload, or hiding a PowerShell script which is triggered through an SCT file referenced in a registry run key. In some cases, stolen data is then exfiltrated through legitimate cloud services, hiding the event in normal traffic patterns.



Figure 1. Typical living off the land attack chain

Case study: June 27 Petya outbreak

The Ransom.Petya outbreak, which hit organizations in the Ukraine and many other countries on June 27, is a good example of an attack using living off the land tactics.

The ransomware exhibited some wiper characteristics and immediately gained the attention of both security experts and the media as it was, among other propagation methods, exploiting the SMB EternalBlue vulnerability just like the headline grabbing WannaCry (Ransom.WannaCry) did one month earlier. The threat made use of a clever supply chain attack as its initial infection vector by compromising the update process of a widely used accounting software program.

Petya also makes heavy use of system commands during the infection process. Once executed, Petya drops a recompiled version of LSADump from Mimikatz in a 32-bit and 64-bit variant, which is used to dump credentials from Windows memory. The account credentials are then used to copy the threat to the Admin$ share of any computers the threat finds on the network. Once the threat accesses a remote system it will execute itself remotely using a dropped instance of PsExec.exe and the Windows Management Instrumentation (WMI) command line tool wmic.exe:

wmic.exe /node:[IP Address] /user:[USERNAME] /password:[PASSWORD] process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1 60”

In order to hide its tracks on the compromised computer the threat deletes various system logs by using the wevtutil and fsutil commands:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

Petya then creates a scheduled task so that the computer restarts into the modified MBR and performs the final encryption task:

schtasks /RU "SYSTEM" /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 14:42

This case is a classic example of system tools being used during an attack. Many system administrators are now looking into disabling remote PsExec execution or restricting WMI access in order to defend against the same attack pattern in the future.

Malware using WMI is not a new occurrence. Last year we observed an average of two percent of analyzed malware samples making use of WMI for nefarious purposes, and the upward trend is clearly continuing.



Figure 2. Percentage of malware using WMI

System tools used for reconnaissance

Besides being used for lateral movement, it is also very common for targeted attack groups to use system tools for reconnaissance. Out of 10 targeted attack groups that we looked at, all of them made use of system tools to explore compromised environments.

Group name Reconnaissance Credential harvesting Tick whoami, procdump, VBS WCE, Mimikatz, gsecdump Waterbug systeminfo, net, tasklist, gpresult WCE, pwdump Suckfly tcpscan, smbscan WCE, gsecdump, credentialdumper Fritillary PowerShell, sdelete Mimikatz, PowerShell Destroyer Disk usage, event log viewer kerberos manipulator Chafer network scanner, SMB bruteforcer WCE, Mimikatz, gsecdump Greenbug Broutlook WCE, gsecdump, browdump Buckeye os info, user info, smb enumerator pwdump, Lazagne, chromedump Billbug ver, net, gpresult, systeminfo, ipconfig - Appleworm net, netsh, query, telnet, find dumping SAM

Table. The 10 attacks groups Symantec looked at and the system tools they used

[click_to_tweet:2]

Mitigation

Preventing infection in the first place is by far the best strategy. Since email and infected websites are still the most common infection vectors for malware, adopting a robust defense against both of these will help reduce the risk of infection. In addition, best practices for segregation of networks, extensive logging including system tools, and a least privileges approach should be assessed for larger networks.

Symantec has various protection features in place in the network and on the endpoint to protect against fileless threats and living off the land attacks. For example, our memory exploit mitigation (MEM) techniques can proactively block remote code execution exploits (RCE), our heuristic based memory scanning can detect memory only threats, and Symantec’s behavior based detection engine SONAR can detect malicious usage of dual-use tools and block them.

For more details, read our white paper: Living off the land and fileless attack techniques