One of the topics covered In a recent RSA Conference presentation was how attackers are using the victims’ own Windows operating system against them to avoid detection. This concept of “living off the land” (LotL) — the use of binaries, DLLs and other computer code that is already on our system — makes it harder to protect our systems.
These binaries are either default to the Microsoft operating system or downloaded from the Microsoft download site. The binary can also have interesting or unintended functionality such as persistence, User Account Control (UAC) bypass, credential theft or other techniques that would be significant to attackers. You can review the potential attacks and uses of the binaries listed on the LOLBQW site.
For example, attackers can use the command
rpcping to capture credentials. They can send a remote procedure call (RPC) test connection to the target server (
-s) and force the NT LAN Manager (NTLM) hash to be sent in the process. The command
rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM allows the attacker to harvest the hash of a password.
Another example that is often used in attacks is a tool used to protect and patch systems. Background Intelligent Transfer Service (BITS) is used by Microsoft to deliver and manage the updating process. Attackers use BITS to transfer malicious files, create alternative data streams, or copy and execute files.