What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Aug 17, 2022
Increase in Observations of Socgholish Malware
THE THREAT Starting in early August 2022 and continuing through the month, eSentire identified a significant increase in Socgholish (aka. FakeUpdates) malware incidents. Socgholish is a loader type…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 1500+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Sep 20, 2022
eSentire Recognized as Top Global MDR Provider by MSSP Alert, CrowdStrike and G2
Waterloo, ON - September 21, 2022 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), celebrated multiple industry recognitions as the leading global MDR provider, over the last week: Named #9, and the top pure play MDR provider on MSSP Alert’s Top 250 MSSPs global rankingRecognized as the CrowdStrike 2022 Global MSSP Partner of the Year Earned G2’s industry-renowned status…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — Jul 11, 2018

Living off the land: the command and control phase

5 minutes read
Speak With A Security Expert Now

This is the fifth and final blog post in the Living Off the Land blog series. In this edition, the focus is on how adversaries may leverage Living off the Land tools to create Command and Control (C2) communication after successfully completing the previous phases of the Cyber Kill Chain.

Executive Summary

Command and control is the second to final stage of the Cyber Kill Chain, enabling the adversary to complete their actions and objectives. In order to establish command and control communications, both penetration testers and adversaries have exploited Living Off the Land techniques in the past. Scripting languages such as PowerShell and Windows Management Interface (WMI) have been exploited to enable C2, as has remote access software. Frameworks exist for the express purpose of creating C2 communication via Living Off the Land Tools. Defenders need to be aware that remote access software and scripting software is all that is required to establish command and control in the enterprise. These tactics are discussed in greater detail below, along with mitigation steps.

Background

There are various options adversaries can employ to establish communication using Living off the Land techniques. Common methods seen across the eSentire threat detection surface include PowerShell and Windows Management Interface (WMI). Other methods observed in the wild utilize remote access software and anti-theft applications.

There have been cases where common enterprise applications have been used to control and execute software on compromised hosts. In one particular case, TeamViewer was used to remotely deliver and execute commands against company assets, leading to the compromise of a CCleaner version. The compromised versions were downloaded by 2.3 million users before the issue was fully resolved [1].

In early May 2018, researchers identified a threat actor exploiting older versions of Absolute LoJack to establish successful C2 communication [2]. Absolute LoJack is a legitimate anti-theft solution used by organizations to track and remotely wipe stolen assets. The adversaries in this case were able to modify a LoJack agent to point to a rouge C2 server that mimics the LoJack communication protocols. By utilizing LoJack to maintain communication with the rouge server, the adversaries were able to perform malicious tasks to obtain their objectives.

The versatility of PowerShell and WMI have been noted in previous blog entries in this series; various frameworks using these languages have been created that reduce the difficulty in establishing Command and Control. One such tool is PoshC2. PoshC2 is an open source Command and Control framework that is written entirely in PowerShell [3]. It was designed for the benefit of penetration testers to establish communication after successful exploitation.

Additional Information

In order to demonstrate the use of Living off the Land tools for establishing Command and Control, the following section demonstrates the PoshC2 framework. This framework allows adversaries and pen-testers the ability to establish encrypted communication. PoshC2 was chosen to demonstrate as it has a high number of built in modules, receives frequent updates and is relatively simple to use. Figures 1-7 illustrate how potential attacks may unfold.

The server configuration settings and options for PoshC2 are shown in figure 1. The tool can be used internally on a compromised environment or externally on infrastructure owned by the adversary since it is built entirely from PowerShell. When used internally, PoshC2 can funnel traffic from multiple compromised assets through one IP address. This can minimize the chances of discovery when only monitoring egress traffic.

Figure 1: Configured C2 Server

Figure 2: Server Generated Payloads

After setting up the PoshC2 server, preconfigured payloads are automatically generated (Figure 2). The adversary can select from 23 different payloads. After selecting a payload, the attacker can easily distribute it to additional hosts. In this circumstance, the payload.bat file was selected and remotely executed on the victim machine (Figure 3). In the Delivery and Installation issue of this blog series, a similar example was shown in which WMI was used to deliver a malicious .bat file.

Figure 3: Executed .bat File


Figure 4: Connected Devices

The above image shows the list of hosts currently connected to the PoshC2 server.

PoshC2 includes a wide variety PowerShell commands that can be utilized on the controlled assets, including some commands previously mentioned in this blog series during the Reconnaissance phase [4]. In figures 5 and 6 the PoshC2 server sends commands to the infected agents to achieve additional objectives.

Figure 5: Get-RecentFiles Command Result

The Get-RecentFiles command brings up a list of recently accessed files on the machine. This allows adversaries to quickly identify potential files of interest.

Figure 6: Get-Screenshot Command Result

The Get-Screenshot command allows adversaries to take live screen captures of the victims’ machines. Obtaining screen shots could allow adversaries to obtain sensitive information displayed on the screen.

Figure 7: Remote Code Execution via C2

In figure 7, the adversary used the PoshC2 framework to launch an executable. In this case, calc.exe was launched on the affected asset. From the attacker’s perspective, this functionality opens a near limitless set of options for new attacks across the network.

PoshC2 is blocked by Windows Defender by default in Windows 10, but the framework can be easily modified to evade detection.

Mitigation Strategies

Knowing the potential threats that exist pertaining to Living Off the Land tools allows defenders to tailor aspects of security to best protect against these attacks. Each previous blog post in this series has a tailored set of recommendations for defending against the use of Living Off the Land tools in the various Kill Chain stages. Below is a list of recommended steps for reducing the likelihood of an adversary successfully establishing Command and Control.

Conclusion

Penetration testers and adversaries have incorporated multiple living off the land techniques in established command and control communication. Whether through scripting languages like PowerShell, or compromising remote access software, communications can be established. Over the years, tools and frameworks have been developed to leverage Living Off the Land software as demonstrated by the PoshC2 framework. The detection of Living Off the Land tools is difficult, but by combining both network and endpoint monitoring, it is possible to identify unusual command and control activity.

This blog series has outlined the use of Living Off the Land tools for reconnaissance, weaponization, delivery and installation, exploitation and the command and control phases. Combining the kill chain phases can allow adversaries to achieve their objectives. Employing the use of Living off the Land techniques by adversaries can increase the difficulty for incident responders to detect. Performing the recommendations included in this blog series can help to mitigate, stop or quickly respond to threats relying on Living off the land tools.

Previous Blogs in this Series

Living Off the Land – The Reconnaissance Phase

Living Off the Land – The Weaponization Phase

Living Off the Land – The Delivery & Installation Phases

Living Off the Land – The Exploitation Phase


Sources

[1] https://thehackernews.com/2018/04/ccleaner-malware-attack.html

[2]https://asert.arbornetworks.com/lojack-becomes-a-double-agent/

[3] https://github.com/nettitude/PoshC2

[4] https://www.esentire.com/blog/living-off-the-land-the-reconnaissance-phase/

Join 100,000+ Security Leaders

Get notified of the latest news, intel and helpful tools & assets. You can unsubscribe anytime.

By clicking the button below I confirm that I have read and agree to the eSentire privacy policy.

View Most Recent Blogs
Red Team
Red Team Penetration Testing Team