Nitin Shekokar, Akshay Agarwal/Symantec
Hackers are becoming smarter and smarter with evasion techniques to bypass malicious payload execution on the victim machine. They smartly started using clean binaries to meet their malicious purpose. This kind of technique is known as Living off the land (LOL). AV bypass these clean files until and unless execution of the malicious activity. This is a challenging situation with AV products and counters-hacker.
In 2018, LOL attack has made the malicious use of PowerShell a "staple" for cybercrimes, showcased by a 1,000% uptick of blocked malicious PowerShell scripts on the endpoint.
Top real-word examples of ‘Living off the land’ tactic:
- 1. Ransomware Petya/NotPetya outbreak: Using Dual-use tools, such as PsExec
- 2. Downloader.Dromedan (40,000 detections on the endpoint per day) : Using Regsvr32
- 3. Trojan.PPDropper Non-PE file attacks: PowerPoint file triggers a malicious PowerShell script
- 4. Trojan.Zlob.Q: infostealer uses a bitsadmin and PowerShell script to change the NameServer entry in the registry
There are more than 100 LOL binaries, but we picked top prevalent and unsafe* binaries in our research, those are mentioned below.
- 1. Certutil.exe
- 2. eventvwr.exe
- 3. Msbuild.exe
- 4. Mshta.exe
- 5. Odbcconf.exe
- 6. Regasm.exe / Regsvcs.exe
- 7. Regsvr32.exe
- 8. Wmic.exe
- 9. Powershell.exe
- 10. Bitsadmin.exe
- 11. Wingding.tff
- 12. Disk Cleanup
- 13. werfault.exe
We did research to identify LOL tactics and invented a generic method to block LOL attacks. We will cover this research in presentation with the help of following important points:
- 1. Usage of LOL binaries with real word example.
- 2. Top LOL bypassing technique
- 3. Study of malicious command line parameter of LOL binaries
- 4. How to Identify potential threats
- 5. Techniques to overcome LOL attacks for counter-hacker
- 6. Key takeaway
November 7 at 15:40 - 16:10, Stage B
Nitin Shekokar: Nitin Shekokar is Manager, Security Technology and Response group at Symantec Corporation. He has 12 years of experience in the Security domain. Currently, he is leading ‘Threat Counter Measure’ team which is responsible to do research on critical threat families and provide long term solutions. He had successfully provided long-term solutions to take down the threat landscape using Artificial Intelligence. He is an innovative leader and granted 3 patents in security domain. Earlier he was leading anti-malware operations like PE and Non-PE signature creations. In 2017 he presented a paper in Virus Bulletin conference. His expertise are Reverse Engineering and Machine Learning. In his free time, he loves to play Cricket, listening to music and spend time with his family.
Akshay Agrawal: Akshay Agarwal is a Threat Analysis Engineer, Security Technology and Response group at Symantec Corporation. He has 3 years of experience working in different threat detection technology. His current responsibility at Symantec includes big data-based research to find new and innovative ways to detect malware, finding the root cause for a missed detection and then propose a long-term fix for the problem to drive overall operational improvements. Prior to that, he is a Magna Cum Laude graduate of Savitribai Phule Pune University from where he holds a Bachelor of Information Technology degree. He loves traveling and playing computer games.