Living off the land: the command and control phase

This is the fifth and final blog post in the Living Off the Land blog series. In this edition, the focus is on how adversaries may leverage Living off the Land tools to create Command and Control (C2) communication after successfully completing the previous phases of the Cyber Kill Chain.

Executive Summary

Command and control is the second to final stage of the Cyber Kill Chain, enabling the adversary to complete their actions and objectives. In order to establish command and control communications, both penetration testers and adversaries have exploited Living Off the Land techniques in the past. Scripting languages such as PowerShell and Windows Management Interface (WMI) have been exploited to enable C2, as has remote access software. Frameworks exist for the express purpose of creating C2 communication via Living Off the Land Tools. Defenders need to be aware that remote access software and scripting software is all that is required to establish command and control in the enterprise. These tactics are discussed in greater detail below, along with mitigation steps.

Background

There are various options adversaries can employ to establish communication using Living off the Land techniques. Common methods seen across the eSentire threat detection surface include PowerShell and Windows Management Interface (WMI). Other methods observed in the wild utilize remote access software and anti-theft applications.

There have been cases where common enterprise applications have been used to control and execute software on compromised hosts. In one particular case, TeamViewer was used to remotely deliver and execute commands against company assets, leading to the compromise of a CCleaner version. The compromised versions were downloaded by 2.3 million users before the issue was fully resolved [1].

In early May 2018, researchers identified a threat actor exploiting older versions of Absolute LoJack to establish successful C2 communication [2]. Absolute LoJack is a legitimate anti-theft solution used by organizations to track and remotely wipe stolen assets. The adversaries in this case were able to modify a LoJack agent to point to a rouge C2 server that mimics the LoJack communication protocols. By utilizing LoJack to maintain communication with the rouge server, the adversaries were able to perform malicious tasks to obtain their objectives.

The versatility of PowerShell and WMI have been noted in previous blog entries in this series; various frameworks using these languages have been created that reduce the difficulty in establishing Command and Control. One such tool is PoshC2. PoshC2 is an open source Command and Control framework that is written entirely in PowerShell [3]. It was designed for the benefit of penetration testers to establish communication after successful exploitation.

Additional Information

In order to demonstrate the use of Living off the Land tools for establishing Command and Control, the following section demonstrates the PoshC2 framework. This framework allows adversaries and pen-testers the ability to establish encrypted communication. PoshC2 was chosen to demonstrate as it has a high number of built in modules, receives frequent updates and is relatively simple to use. Figures 1-7 illustrate how potential attacks may unfold.

The server configuration settings and options for PoshC2 are shown in figure 1. The tool can be used internally on a compromised environment or externally on infrastructure owned by the adversary since it is built entirely from PowerShell. When used internally, PoshC2 can funnel traffic from multiple compromised assets through one IP address. This can minimize the chances of discovery when only monitoring egress traffic.

Figure 1: Configured C2 Server

Figure 2: Server Generated Payloads

After setting up the PoshC2 server, preconfigured payloads are automatically generated (Figure 2). The adversary can select from 23 different payloads. After selecting a payload, the attacker can easily distribute it to additional hosts. In this circumstance, the payload.bat file was selected and remotely executed on the victim machine (Figure 3). In the Delivery and Installation issue of this blog series, a similar example was shown in which WMI was used to deliver a malicious .bat file.

Figure 4: Connected Devices

The above image shows the list of hosts currently connected to the PoshC2 server.

PoshC2 includes a wide variety PowerShell commands that can be utilized on the controlled assets, including some commands previously mentioned in this blog series during the Reconnaissance phase [4]. In figures 5 and 6 the PoshC2 server sends commands to the infected agents to achieve additional objectives.

The Get-RecentFiles command brings up a list of recently accessed files on the machine. This allows adversaries to quickly identify potential files of interest.

Figure 6: Get-Screenshot Command Result

The Get-Screenshot command allows adversaries to take live screen captures of the victims’ machines. Obtaining screen shots could allow adversaries to obtain sensitive information displayed on the screen.

In figure 7, the adversary used the PoshC2 framework to launch an executable. In this case, calc.exe was launched on the affected asset. From the attacker’s perspective, this functionality opens a near limitless set of options for new attacks across the network.

PoshC2 is blocked by Windows Defender by default in Windows 10, but the framework can be easily modified to evade detection.

Mitigation Strategies

Knowing the potential threats that exist pertaining to Living Off the Land tools allows defenders to tailor aspects of security to best protect against these attacks. Each previous blog post in this series has a tailored set of recommendations for defending against the use of Living Off the Land tools in the various Kill Chain stages. Below is a list of recommended steps for reducing the likelihood of an adversary successfully establishing Command and Control.

• Application whitelisting
• PowerShell logging
• Endpoint detection software
• User awareness
• Disabling macros
• Frequent and scheduled security patching
• Review and log which users have administrative rights
• Implement a monitoring program as a reactive measure

Conclusion

Penetration testers and adversaries have incorporated multiple living off the land techniques in established command and control communication. Whether through scripting languages like PowerShell, or compromising remote access software, communications can be established. Over the years, tools and frameworks have been developed to leverage Living Off the Land software as demonstrated by the PoshC2 framework. The detection of Living Off the Land tools is difficult, but by combining both network and endpoint monitoring, it is possible to identify unusual command and control activity.

This blog series has outlined the use of Living Off the Land tools for reconnaissance, weaponization, delivery and installation, exploitation and the command and control phases. Combining the kill chain phases can allow adversaries to achieve their objectives. Employing the use of Living off the Land techniques by adversaries can increase the difficulty for incident responders to detect. Performing the recommendations included in this blog series can help to mitigate, stop or quickly respond to threats relying on Living off the land tools.

Previous Blogs in this Series

Living Off the Land – The Reconnaissance Phase

Living Off the Land – The Weaponization Phase

Living Off the Land – The Delivery & Installation Phases

Living Off the Land – The Exploitation Phase

Sources

[1] https://thehackernews.com/2018/04/ccleaner-malware-attack.html

[2]https://asert.arbornetworks.com/lojack-becomes-a-double-agent/

[3] https://github.com/nettitude/PoshC2

[4] https://www.esentire.com/blog/living-off-the-land-the-reconnaissance-phase/