[SANS Webcast] A Wolf in Sheep’s Clothing: Dissecting Living off the Land Techniques
To fulfill the needs of system administrators and power users, for decades Microsoft has been releasing Windows tools that provide high-level command-line interfaces to interact with the system: execute scripts, change operating system and user settings, install programs, download or modify files.
Naturally, attackers have also adopted these easy-to-use, Microsoft-provided tools to both make malware development easier, and to bypass security mitigations.
Because such tools aim to provide the widest possible functionality to legitimate users, they often implement unexpected features. With a bit of creativity, these often-half-forgotten features can be used to download files or achieve code execution. Because the tools are signed by Microsoft, they also provide the attacker with a way to execute malicious code with Microsoft-signed binaries without code injection, defeating application whitelisting. The umbrella term for attack techniques using Microsoft-signed tools in such a way is often referred to as Living Off the Land (LOL), and the binaries used in the technique as LOLBINs.
In this webcast, SANS Analyst Jake Williams and VMRay Sr. Threat Analyst Tamas Boczan viewers will:
- Explain what LOLBINs are commonly used in the wild by malware,
- Showcase real-world examples of interesting LOL techniques,
- Show you how to hunt for attacks using the techniques and defend against them.