Combine cutting-edge XDR technology, multi-signal threat intelligence and 24/7 Elite Threat Hunters to help you build a world-class security operation.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Cyber risk and advisory programs that identify security gaps and build security strategies to address them.
XDR with machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Extend your team capabilities and prevent business disruption with expertise from eSentire.
Stop ransomware before it spreads.
Meet regulatory compliance mandates.
Detect and respond to zero-day exploits.
End misconfigurations and policy violations.
Defend third-party and supply chain risk.
Prevent disruption by outsourcing MDR.
Adopt a risk-based security approach.
Meet insurability requirements with MDR.
Protect your most sensitive data.
Defend brute force attacks, active intrusions and unauthorized scans.
Guard endpoints by isolating and remediating threats to prevent lateral spread.
Investigation and threat detection across multi-cloud or hybrid environments.
Remediate misconfigurations, vulnerabilities and policy violations.
Defend brute force attacks, active intrusions and unauthorized scans.
THE THREAT On February 20th, ConnectWise confirmed that two recently disclosed ScreenConnect vulnerabilities are now under active exploitation. The vulnerabilities are currently tracked as…Feb 09, 2024
THE THREAT On February 7th, CISA, NSA, FBI, along with Five Eyes intelligence partners, published a joint advisory related to state-sponsored threat actors from the People’s Republic of…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Waterloo, ON–February 7, 2024 – eSentire, Inc., the Authority in Managed Detection and Response (MDR), today announced that three of Australia’s top Value-Added Resellers (VARs): Advance Vision Technology, Exigo Tech, and Rubicon 8 have joined eSentire’s CRN 5-Star e3 partner…
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
This is the fifth and final blog post in the Living Off the Land blog series. In this edition, the focus is on how adversaries may leverage Living off the Land tools to create Command and Control (C2) communication after successfully completing the previous phases of the Cyber Kill Chain.
Command and control is the second to final stage of the Cyber Kill Chain, enabling the adversary to complete their actions and objectives. In order to establish command and control communications, both penetration testers and adversaries have exploited Living Off the Land techniques in the past. Scripting languages such as PowerShell and Windows Management Interface (WMI) have been exploited to enable C2, as has remote access software. Frameworks exist for the express purpose of creating C2 communication via Living Off the Land Tools. Defenders need to be aware that remote access software and scripting software is all that is required to establish command and control in the enterprise. These tactics are discussed in greater detail below, along with mitigation steps.
There are various options adversaries can employ to establish communication using Living off the Land techniques. Common methods seen across the eSentire threat detection surface include PowerShell and Windows Management Interface (WMI). Other methods observed in the wild utilize remote access software and anti-theft applications.
There have been cases where common enterprise applications have been used to control and execute software on compromised hosts. In one particular case, TeamViewer was used to remotely deliver and execute commands against company assets, leading to the compromise of a CCleaner version. The compromised versions were downloaded by 2.3 million users before the issue was fully resolved .
In early May 2018, researchers identified a threat actor exploiting older versions of Absolute LoJack to establish successful C2 communication . Absolute LoJack is a legitimate anti-theft solution used by organizations to track and remotely wipe stolen assets. The adversaries in this case were able to modify a LoJack agent to point to a rouge C2 server that mimics the LoJack communication protocols. By utilizing LoJack to maintain communication with the rouge server, the adversaries were able to perform malicious tasks to obtain their objectives.
The versatility of PowerShell and WMI have been noted in previous blog entries in this series; various frameworks using these languages have been created that reduce the difficulty in establishing Command and Control. One such tool is PoshC2. PoshC2 is an open source Command and Control framework that is written entirely in PowerShell . It was designed for the benefit of penetration testers to establish communication after successful exploitation.
In order to demonstrate the use of Living off the Land tools for establishing Command and Control, the following section demonstrates the PoshC2 framework. This framework allows adversaries and pen-testers the ability to establish encrypted communication. PoshC2 was chosen to demonstrate as it has a high number of built in modules, receives frequent updates and is relatively simple to use. Figures 1-7 illustrate how potential attacks may unfold.
The server configuration settings and options for PoshC2 are shown in figure 1. The tool can be used internally on a compromised environment or externally on infrastructure owned by the adversary since it is built entirely from PowerShell. When used internally, PoshC2 can funnel traffic from multiple compromised assets through one IP address. This can minimize the chances of discovery when only monitoring egress traffic.
The Get-RecentFiles command brings up a list of recently accessed files on the machine. This allows adversaries to quickly identify potential files of interest.
The Get-Screenshot command allows adversaries to take live screen captures of the victims’ machines. Obtaining screen shots could allow adversaries to obtain sensitive information displayed on the screen.
In figure 7, the adversary used the PoshC2 framework to launch an executable. In this case, calc.exe was launched on the affected asset. From the attacker’s perspective, this functionality opens a near limitless set of options for new attacks across the network.
PoshC2 is blocked by Windows Defender by default in Windows 10, but the framework can be easily modified to evade detection.
Knowing the potential threats that exist pertaining to Living Off the Land tools allows defenders to tailor aspects of security to best protect against these attacks. Each previous blog post in this series has a tailored set of recommendations for defending against the use of Living Off the Land tools in the various Kill Chain stages. Below is a list of recommended steps for reducing the likelihood of an adversary successfully establishing Command and Control.
Penetration testers and adversaries have incorporated multiple living off the land techniques in established command and control communication. Whether through scripting languages like PowerShell, or compromising remote access software, communications can be established. Over the years, tools and frameworks have been developed to leverage Living Off the Land software as demonstrated by the PoshC2 framework. The detection of Living Off the Land tools is difficult, but by combining both network and endpoint monitoring, it is possible to identify unusual command and control activity.
This blog series has outlined the use of Living Off the Land tools for reconnaissance, weaponization, delivery and installation, exploitation and the command and control phases. Combining the kill chain phases can allow adversaries to achieve their objectives. Employing the use of Living off the Land techniques by adversaries can increase the difficulty for incident responders to detect. Performing the recommendations included in this blog series can help to mitigate, stop or quickly respond to threats relying on Living off the land tools.
Previous Blogs in this Series