Sergey Nivens - Fotolia
Security researchers are continually improving attack techniques and sharing these results with the community in order to create awareness. Responding to manual attacks dominated early incident response on Unix systems and, in these early incidents, attackers needed to use the utilities already installed on the system or compile their own utilities or exploits to use in their attack. This eventually evolved into script kiddies, then Metasploit and other commercial penetration testing tools, which evolved into the term living off the land.
A new term, bring your own land, has recently been coined for advancements in attack techniques. In this tip, we'll take a look at the new bring-your-own-land attacks and potential enterprise defenses.
Bring your own land
Bring your own land, or BYOL, was coined by FireEye Inc., and it is an extension of living off the land. Living off the land is when attackers use the tools that exist in a system, such as PowerShell.
On the other hand, the bring-your-own-land approach is when an attacker can write and use their own tools, including PowerShell-based attack tools, against the target system.
Some Unix and Linux users bragged for decades about the superiority of the scripting languages in their systems. However, Microsoft put significant development effort into PowerShell to silence the critics that complained that Windows didn't have a powerful enough scripting language. Cybersecurity vendor FireEye commented that PowerShell is powerful enough to develop even red-team frameworks.
In a recent blog post, FireEye detailed how PowerShell is being used in bring-your-own-land attacks in the Cobalt Strike framework used in penetration testing. The blog mentioned that PowerShell was blocked during a recent penetration test, but whitelisting wasn't used, so any binaries could have been executed on the system.
During a bring-your-own-land attack, hackers use C# and .NET assemblies to create custom binaries using the same APIs that the PowerShell attack tools use -- this enables the attackers to copy the functionality from the attack tools into new executables that can then be used on the system.
These custom executables aren't detected by endpoint security tools looking for certain PowerShell activity. Once an attacker executes code on an endpoint, they can use reflective loading as part of the bring-your-own-land technique to perform the attack entirely in memory with no need to write to disk.
Reducing the attack surface and limiting the impact of attacks has been critical since before the Rainbow Series was published. In the '90s, this could mean not installing compilers on a server so attackers couldn't use them to compile their exploit code to get root access.
While most Windows systems don't have a compiler installed, most systems now include PowerShell, and one of the newer basics in the last 20 years is the addition of whitelisting. FireEye mentioned the use of custom compiled executables because PowerShell was blocked, but no whitelist was in place. Whitelisting could have blocked the custom tools used in place of PowerShell.
Implementing security controls to monitor and limit the use of PowerShell, like monitoring for suspicious process command-line arguments or the de-obfuscation of malicious PowerShell scripts using Script Block Logging, is still important. FireEye researchers also mentioned profiling the APIs used by the endpoint and logging those events for alerting.
This functionality may be present in endpoint security tools, so administrators should check to see if there is any functionality that can prevent this. These security controls can generate an enormous amount of data and may be best managed with a SIEM or data analytics tool in a security operations center.
Because attackers will find the weakest link regardless of the details, it is critical to have tools in place to detect and respond to attacks against endpoint security tools. Whether the attack tools are PowerShell tools, custom tools, Metasploit modules or other commercial tools, monitoring the activity on an endpoint is critical, as this can provide significant visibility into how users engage with devices.