It’s Time to Evict Bad Actors “Living off the Land”

If you’re a fan of detective stories, you probably have read one of the first of the genre, “The Purloined Letter,” by Edgar Allan Poe. Briefly, a nefarious character has stolen a sensitive letter and is attempting to blackmail the victim. The authorities know he has it, so they raid his hotel room, turning over everything to find it. But they fail, because the thief has hidden it right out in the open, hanging from a tattered ribbon from the wall. Poe’s hero, detective C. Auguste Dupin, isn’t fooled by the ruse, but recovers the letter and gives it to the police for a reward.

Today, bad actors are taking a page from Poe’s tale, eschewing the hard work of creating sophisticated malware, and instead making use of Windows OS utilities and other commonly available tools, essentially hiding their work in plain sight in ways that make it easy to overlook.

The trend is called “living off the land.”

“The actors try to be as unsuspicious or as normal as possible,” says Candid Wueest, threat researcher at Symantec. Doing so not only makes the work of bad actors easier, but it makes their deeds harder to detect. According to Symantec, living-off-the-land attacks have any of four main characteristics:

1. Dual-use tools, such as PsExec, used by the attacker
2. Memory only threats, such as the Code Red worm
3. Fileless persistence, such as Visual Basic Scripting (VBS) in the registry
4. Non-Portable Executable (PE) file attacks, such as Office documents with macros or scripts

The Thrip Threat

Living off the land is the method behind a series of recent attacks known as Thrip, which was  discovered in early 2018 by Symantec experts at a telecommunications provider in Southeast Asia. Hackers were using the Windows utility PsExec to install Infostealer.Catchamas malware, a custom Trojan designed to steal information, on computers in the telecom company’s network.

The Symantec experts looked for Thrip-style attacks at other organizations and found a sizeable cyber espionage campaign launched by three computers in China. Espionage and possibly disruption were the likely motives and the targets were the communications, geospatial imaging and defense sectors in the U. S. and Southeast Asia.

Living-off-the-land is not a new concept for malicious actors. The Code Red worm reared its head in 2001. More recently, Ransom.Petya, broke out in June 2017, making heavy use of system commands during the infection process.

Using the Available Tools

According to Wueest, there are up to 100 legitimate tools that are being used to perpetrate living-off-the-land attacks. However, the vast majority use Windows Powershell scripts, a fixture of Windows for a decade. “As the name indicates, it’s very powerful. It can download a payload into memory and keep it there. That makes it difficult to detect with old-style security tools. If you reboot, all forensic traces will be gone, because it was just in memory,” explains Wueest.

Other Windows utilities that factor into living-off-the-land attacks include:

• PS Exec, a free tool from Microsoft. Although not installed on Windows by default, it is often used by admins to execute a process on a remote machine.
• Windows Management Instrumentation (WMI), which enables the user to execute code on another machine.
• Windows Secure Copy, a freeware tool that enables the user to perform normal FTP operations or send secure copy over SSH (Secure Shell), transferring files both to and from a compromised system.

The havoc really begins when these living-off-the-land tools are combined with more traditional hacking tools. One of these is Mimikatz, a utility that enables hackers to retrieve cleartext passwords, as well as password hashes from memory. Although not malicious in itself, 95% of Mimikatz usage is malicious, says Wueest.

Attackers might take passwords obtained with the help Mimikatz and use them with PS Exec to move laterally to another system. “That’s a very common pattern. They come into one machine – it could be in the HR department, which is used to receiving docs from strangers, and from that machine, the bad actors could use the password to hop onto other machines,” explains Wueest.

Once they have obtained passwords, the bad actors could also use them with a third party tool such as LogMeIn, a ubiquitous remote control program, to take over a targeted machine.

How to Fight Back

With the frequency and malignancy of living-off-the-land attacks likely to increase, you’ll need to add specific countermeasures to your defensive arsenal. Here’s what Wueest recommends:

Create a white list: Build a list of the tools that are approved for use, then remove all other tools. Anything used that is not on the white list is suspicious. Keep the white list up to date, as it should change over time to reflect the tools currently in use.  

Check log files: Since the tools will be legitimate, but the users might not be, it’s critical to know who is using what. Was an admin using PS Exec, or was it someone you’ve never heard of? Find the answer in the log files.

Limit PowerShell: PowerShell enables administrators to set limits in a number of ways. Administrators may restrict name spaces, the commands that PowerShell can execute, the time that users are on their machines, and the amount of downloading that is done. These limits can prevent hackers from doing their thing.

Be alert: Fresh attacks are constantly being developed, mutating and emerging in new and dangerous ways. Attackers are seeking to split their activity into multiple processes, each of which might look innocent in itself. One tool might collect IP addresses of your users, then another tool will write to a file, while still another tool uses the addresses for attacks.

Use deception tokens: Deploy small tokens, such as files or dummy user accounts. When users try to find passwords or access files, they will stumble upon your tokens, alerting you.  

Symantec TAA: Symantec Targeted Attack Analytics (TAA) played a key role in exposing the Thrip attacks. Utilizing machine learning and AI capabilities, TAA detects patterns that far exceed the normal range of human analysts. In January 2018, TAA triggered an alert that PsExec was being used to move laterally between computers at the Southeast Asian telecom operator’s network. TAA also revealed the attackers were using PsExec to install Infostealer.Catchamas.

When things are hidden out in the open – when the tools used by the bad actors are the same ones that are used legitimately every day -- it is critical to spot subtle variations from normal usage. To do so takes the machine learning and AI of TAA, capabilities that are beyond the skills of the savviest administrators – and even the peerless M. Dupin.

If you found this information useful, you may also enjoy:

• Attackers are increasingly living off the land