How to Proxy Command Execution: "Living Off The Land" Hacks

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you might be familiar with the term living off the land that is when a hacker or threat actor or adversary lands in a new environment they've gained initial access to the Target that they're wanting to compromise but they don't bring in any of their own tooling they don't bring in any programs or scripts or things that they might use to do damage and accomplish their objectives they live off the land and only use resources or applications or programs or scripts or tools that are already a part of this environment that they're now a part of they're only using things that are native or inherent or built in to the Target operating system that they might be up against whether that is Windows or Linux in this video we're going to take a look at how some security researchers might track down some of these living off the land binaries or scripts and tools and techniques that could be used to do something different or new other than what was expected that could still accomplish some task that a threat actor had hacker adversary might want to do but before we dive in I would like to give some quick shout out to today's sponsor Plex track is the Premier cyber security reporting and collaboration platform that makes penetration testers red teamers and cyber security teams more efficient effective and proactive with Plex track you can eliminate the dull and boring drudgery of report writing so you can focus on what's really important hacking the engagement the assessment and the campaign and it's not just for offense Plex track is a collaboration portal between both red and blue teams to facilitate effective purple teaming and faster remediation while coordinating between multiple team members you easily aggregate findings pull in reusable content from write-up databases and content libraries and track and measure progress in real time you can import assets from common CSV files nmap nessus and many of your other favorite tools Plex track boasts 25 plus Integrations and that list is always growing you can do even more with Plex tracks run books with scripts mapped to the Myra attack framework or plans from Atomic red team in sight or assessments built off of the CIS controls and benchmarks and of course showed the impact with Plex tracks analytics and visualizations customize your reports with your team's logo and details and with a single click export your report and send it off to the client spend more time hacking and less time reporting learn how you can boost your team's efficiency by 30 percent and cut reporting Time by up to 65 percent with Plex track seriously check them out I have great colleagues and peers that use Plex track every day for reporting sign up for a demo and claim your free month of Plex track right now at httpsjh.io Plex track huge thanks to Plex track for sponsoring this video okay so now we are diving into the fun stuff we're here on my computer screen and you are probably already aware of some online resources like GTFO bins or other ones low bins or low bass again living off the land binaries scripts and libraries GTFO bins being strictly for Linux or Unix binaries that again are all present on a Target operating system that is traditionally running Linux or a Unix ecosystem right but if you're looking for Windows binaries you would want to visit lobass this other resource again specifically for the Windows operating system now again this is a very very well known resource but I will have to admit hey you know there might be some cool sweet stuff that isn't always going to end up being included in these resources and with that I would honestly give some credit in kudos to the great folks over on infosec Twitter now I know there are a lot of recent conversations between oh Twitter and Mastodon and other social media sites yada yada But ultimately what I want to be getting towards is the security Community right is still alive and well and booming and sharing great work and resources and research and with that I want to give credit in Kudos and Shine the spotlight on some incredible folks like gregoris torik and forgive me I might be getting your name wrong my friend um but hey I did want to show okay some of the sweet work that he's done and bring it to light with this video with a little bit of a showcase on living off the land binaries and some interesting tricks that you might be able to do I did ask for permission I did want to make sure hey is all this above board are you totally comfortable with me sharing and showcasing it but he says absolutely without a doubt that's the reason that we make all this education freely accessible so thank you for being a champion of that initiative and effort here so now let's really get the party started I am inside of a flat vanilla Bare Bones installation of Windows 11 inside of a virtual machine and I want to showcase some other interesting stuff that we might be able to get into I'm going to open up the terminal Windows terminals one of the sweet new ways to access the command prompt or Powershell and I have this window open right here you might notice on the desktop I do have uh proc exp 64 and procmon 64. these are some utilities from the sys internal Suite that I will get into in just a little bit but I want to set the stage with what we're going to be playing with so I'm going to full screen this terminal here and I'm going to open up this program tpmtool.exe that is the name of the command that will end up running here and TPM tool is as you might expect the utility that can be used to get information about the TPM or The Trusted platform module now if you want to look at some up-to-date information you could check out this online with some of the resources on the official Microsoft documentation But ultimately this is what will end up kind of playing with in exploring you might be able to do some interesting stuff with this if you wanted to you could actually kind of trace or see and understand okay what are each of these different parameters going to end up doing when this program actually executes if you were to supply any of these arguments what might you be able to see that this program actually does and things that you might not expect right this is why you would use some of the utilities like procmon or process Explorer so you can do a little bit more security research just to see does anything weird happen does anything out of the ordinary happen bear in mind this TPM tool is again native and inherent to Windows I gotta track down where this thing is actually stored because I think that would be worthwhile to show you let me go to the C drive and search for tpmtool.exe in the search bar and there it is I got our results here uh it is in win sxs on Wow 64 Windows TPM blah blah blah but that is inherently hey something that we could access as part of the path and we can just kick it off through the command line so nice and easy for us and by the way I'm sorry I probably didn't do a very good job of like setting the stage here say that we are a threat actor or a hacker or adversary now that has gained initial access and we are inside of this Windows environment I know there's a little bit of suspended disbelief there but please bear with me it'll be kind of fun for the Showcase here and alongside that uh suspended disbelief I would like to kind of zoom in in on one of the more interesting things that this thing might do when we end up using TPM tool driver tracing it has options there to either start or stop the driver tracing functionality you can see that as part of the output look we just start or stop collecting driver traces as in The Help output here so if I were to run that let me do that tpmtool.exe driver tracing obviously this will need an argument and that's why it says hey you know hey go ahead and fill this out the parameter is incorrect we have not supplied everything that we need so if I were to try and use TPM driver tracing stop it says oh there was an error the data collector set was not found data collector set was not found okay hey whatever again bear with me say we were going through the process of exploring each of these parameters in each of these arguments are seeing what this program might do but the way that we actually kind of Trace that is by taking a look at procmon or checking out what this process does as we execute it now again procmon is part of the CIS internal suite and procmon will just dump like a little bit of a fire hose all of the events that are caused by different processes running on your computer whether it opens a registry file or if it actually creates a new file or opens a file handle on your file system in order to succeeds or if it fails or anything like that you might be able to find some interesting dll hijacking opportunities you might be able to find some odd oh maybe using the current user registry key rather than the local machine all these different things that could open the door for you to maybe get in the middle of some strange execution of what a program might actually do here so what I'm going to do is I'm actually use process Monitor and set a filter that's what this little filter icon is up here and if I go ahead and say look I want to zoom in on and specifically focus on what this TPM tool process might do we can say hey the process name will be set when it is tpmtool.exe then we want to include all of those outputs we don't want to see all the other stuff that happens on the computer we just want to look at strictly the process name is tpmtool.exe so include that but exclude everything else if I hit apply here initializes and now all of that activity is gone but if I bring this to the side and I fire up my little terminal over here if I run the exact same command TPM tool driver tracing stop if I hit enter boom you can see all of this gets filled out now I know a whole lot of this is going to be probably pretty dull and they're boring and you just sort of Hit the I believe button but look for the weird stuff that just seems a little bit out of the ordinary hey okay loading dlls that's probably pretty normal hey checking different registry keys to see what's going on yada yada yada maybe getting any necessary dlls or dynamic link libraries but there is one Oddball that if you want to look for hmm are there any paths that maybe we could control or is it using any current user configurations within the registry this is where you would really be looking for things that you might be able to see spawn or do something different that could be taken advantage of for a living off the land technique or trick and here's a weird one the tpmtool.exe actually runs process create to spawn cmd.exe like the command prompt itself but that's weird because we used cmd.exe to start TPM tool right so why is it creating another sub process or another child process of cmd.exe could we maybe take a closer look at what is happening with cmd.dxt just as well what if we modified our filter to actually add in hey let's check out what cmd.exe is up to when the process name is cmd.dxe include that just as well now this might get a little bit messy because we're probably going to end up seeing Oh some of our own activity trying to spawn TPM tool but no okay we didn't because it's all under Windows terminal but can I go see what happens after we create cmd.exe as a sub processor as a child under TPM tool let's see there it is process create cmd.exe now we have two new entries here the cmd.exe is trying to do something odd it has a process start with like no path supplied and then a thread create kind of weird uh scrolling down do we see any other entries okay load image Etc et cetera et cetera more registry configuration stuff all underneath maybe our TPM tool and then probably okay thread exit process exit it's cleaning itself up but what did it try to start as another process to open when we saw a process create we also see a process start here and if I check out the properties on this I'm going to right click it oh you can see all the info here in the command line it uses cmd.exe and then slash c as an argument to run a new command with logman.exe uh uh is logman.exe a thing it uses stop TPM Trace Tech ETS so if I go back to my terminal can I run logman.exe oh seemingly I can but some of you might be catching on to this weird Oddity here and that cmd.exe c logman.exe is not specifying a full path for logman.exe so what if we had our own logman.exe present in this directory and the execution of what we were trying to run here now I know this is really weird because we're kind of using TPM tool with some Oddball syntax that we just kind of arbitrarily chose but you know we dug around and we found it and if it were to have its own logman.exe in this directory rather than the regular Windows path it would end up executing it right do you get that idea here let's try it out let's go ahead and copy a c Windows system 32 calc.exe is that here calc.exe we'll put it in this directory right so now it's in this directory I have a calc.exe present here but remember the name of this executable needs to be logman.exe right so let's see if I can move that calc.exe to logman.exe checking out the directory again there it is so this is weird what if we were to end up using our tpmtool.exe driver tracing stop syntax to have this application this built-in native inherent tool spawn cmd.exe and then spawn log man all within the current directory and we're supplying our own little hijacked log man which could be anything it pops calc [Laughter] silly dumb weird uh but there is our own sort of proxy to code execution uh to run something that it didn't intend to really do and it could be any art executable like you could make this notepad you could make this malware.exe you can make this ransomware obviously you or the threat actor or hacker having the opportunity to be able to place the contents of the file there that is its own potential liability and there are variables and things that play there but if you have that access or you can write to a file in that location in a stealthy enough way you're not inherently executing that file you're now kind of maybe sneaking around some potential detection opportunities that blue teams or Defenders or folks trying to protect this environment hey they won't really latch on to this weird TPM tool execution and that is exactly the point of using these living off the land binary tricks and that is why you if you're super interested in this stuff might be able to just explore hey different windows binaries or different Native applications and things that could be present on your operating system and just see what weird stuff they do tracing through with process monitor or process Explorer and just kind of seeing what happens and why but hey again huge shout out and Credit in kudos to gerzegler's torik forgive me I always worry about getting your name right OG tweet over on Twitter it originally kind of showcased this he says you know what I love the smell of low bins or living off the land binaries in the morning here's using TPM tool to spawn CMD to spawn log man and hey what about Oddball what a surprise log man is going to end up being launched from the current folder so he showcases this little picture where he triggers his own pwned executable and and then ends up showcasing hey in the event log even seeing this with sysmon this is what ends up being showcased for uh this executable here uh checking out in the event log or seeing things triggered and fired with sysmon is another great way to see hey what happens where and when maybe a little bit faster than going in and out of procmon back and forth but uh hey all different ways to see what happens in what weird stuff could we track down for some of these living off the land techniques and if at the end of this all you're asking so what like why bother like what make what what's the difference between running the application that you intended on running whether it was calc or notepad or malware ransomware or whatever why not just invoke it uh again you could just kind of be redirecting or proxying your own command execution to just not look like what you're actually doing it's just sort of masquerading and kind of hiding or at least again redirecting the attention of the analysts and the you know sock watch floor folks digging into seeing what's really happening here because then you as the attacker as the red teamer as the penetration tester or anything have more time to do more damage if that's really the way that we want to put it there with that said I hope this is an interesting trick hope it's a neat little technique a little tactic you might be able to put in your toolkit and with that I hope you enjoyed the video and maybe if you're doing some of that red teaming hey ethical hacking pen testing stuff you're firing up Plex track you're using our sweet sponsor and you're enjoying videos just like these if you are please do those YouTube algorithm things to help the channel grow like the video comment subscribe if you'd be so kind there are donation links if you're interested in patreon and PayPal in the description also you can join the channel as a member and that helps kind of hey offer some Financial funds to help keep me motivated and encouraged to keep doing more stuff just like this so uh super appreciate all of your generosity and a special Credit in Kudos again to OG tweet and the great folks online that share great research and help us like help bolster the community we truly stand on the shoulders of giants and it takes a village to kind of help keep this thing moving forward so uh with that I'll close up the video here but thank you for watching and I'll see you in the next take care

Info

Channel: John Hammond

Views: 49,210

Rating: undefined out of 5

Keywords: cybersecurity, learn, programming, coding, capture the flag, ctf, malware, analysis, dark web, how to learn cybersecurity, beginners

Id: QBvM-MzQ570

Channel Id: undefined

Length: 19min 9sec (1149 seconds)

Published: Wed Dec 28 2022