How Carbon Black is Prioritizing Living Off the Land Attacks
What are Living Off the Land (LoL) Attacks?
In recent years, Living off the Land Binaries and Scripts (LOLBas) have become increasingly popular tools for cybercriminals. These types of attacks leverage native, signed, and often pre-installed applications in malicious ways that their creators never intended. Exploiting trusted tools and applications makes it easier for attackers to remain undetected in systems—as these tools are preinstalled on the operating system and can be utilized to bypass security controls such as application whitelisting and traditional anti-virus—making LoL attacks extremely appealing to hackers.
Carbon Black + LoL Attacks
At Carbon Black, we understand the severe damage that LoL attacks have the potential to do—and we’re constantly working to ensure that your systems are protected. By staying up to date on the latest attack trends, we are able to improve our capabilities, allowing you to worry less and focus on what matters.
In this blog post we will focus on the early stages of the MITRE ATT&CK™ framework and discuss a few techniques that we see being used to gain Initial Access to a device as well as how attackers are leveraging LoL binaries for Execution and Defense Evasion:
- Microsoft Office Applications Invoking LoL Binaries: Malicious email attachments (T1193) remain one of the most common attack vectors that attackers use today. Often times, these attachments are Microsoft Office documents. While not necessarily considered LoL binaries themselves, these documents can contain hidden malicious macros that will execute attacks by way of various LoL binaries—binaries which can then be used to perform numerous forms of harmful activity. While some organizations may take advantage of macros for their day-to-day operations, having an office document invoke certain other applications is not normal and can be a sign of unauthorized access into an organization’s network. Carbon Black’s detection capabilities ensure that our customers are aware of this chain of events to help them stop attackers in their footsteps.
- Mavinject Injecting Malicious Code: Threat researchers and organizations such as MITRE have recognized mavinject—a native signed Windows application—being used to inject malicious code into arbitrary applications (T1218). Mavinject is a tool that is part of the Microsoft Application Virtualization Package (App-V), which is a virtualization software that allows users to run or stream applications on their machines as if they were downloaded locally. After a malicious actor has gained access to a system, mavinject is one of the many tools they can leverage to execute their attack. When invoked by the App-V package, it is normal for mavinject to inject into other applications. This makes mavinject a great application to leverage when attempting to evade traditional defenses. Carbon Black’s ability to single out and alert on only malicious use cases creates a low rate of False Positives, making it easy for our customers to keep their endpoints safe.
- MSBuild Making Potentially Malicious Network Connections: Another application that has been used recently for malicious intent is MSBuild—a native signed Windows application normally used to build Visual Studio projects (T1218). MSBuild first reads a Visual Studio build file and then builds a project given the file’s parameters. Attackers have been able to execute malicious code by inserting it in the build file to perform arbitrary malicious activities, such as making outbound network connections to connect to other machines or download malicious files. Carbon Black’s behavioral analysis detects when MSBuild makes outbound network connections. It can alerts customers about potentially malicious MSBuild behavior with a low rate of False Positives due to its ability to single out and alert on only malicious use cases of MSBuild.
Carbon Black has developed an approach to detection and prevention that can help stop these and other types of attacks as they appear—whether they’ve been seen before or not. Our teams conduct behavioral threat research to discover novel behavioral patterns used by attackers. These patterns stretch across the entire scope of the kill chain, transcending any individual attack and allowing us to provide protection against a broad set of threats without relying on specific pre-discovered IOCs. With Carbon Black, you can rest easy knowing that you’re protected from the attacks we’ve highlighted and more.
For more details on LoL binaries and scripts check out the whitepaper written by Carbon Black’s Threat Analysis Unit (TAU).
Carbon Black’s managed alert triaging team, CB ThreatSight, recently investigated a series of ongoing PowerShell attacks leveraging several whitelisting bypasses and weaponized open source pentesting tools
The post How Carbon Black is Prioritizing Living Off the Land Attacks appeared first on Carbon Black.