Overkill Security

Building Resilient Software: Mitigating LOTL Risks Recommendations for Software Manufacturers is crucial in reducing the prevalence of exploitable flaws that enable LOTL tactics. 📌Minimizing Attack Surfaces: Software manufacturers are urged to minimize attack surfaces that can be exploited by cyber threat actors using LOTL techniques. This includes disabling unnecessary protocols by default, limiting the number of processes and programs running with escalated privileges, and taking proactive steps to limit the ability for actors to leverage native functionality for intrusions. 📌Embedding Security in the SDLC: Security should be embedded into the product architecture throughout the entire software development lifecycle (SDLC). This proactive integration ensures that security considerations are not an afterthought but a fundamental component of the product from inception to deployment. 📌Mandating Multi-Factor Authentication (MFA): Manufacturers should mandate MFA, ideally phishing-resistant MFA, for privileged users and make it a default feature rather than an optional one. This step significantly enhances the security of user accounts, particularly those with elevated access. 📌Reducing Hardening Guide Size: The size of hardening guides that accompany products should be tracked and reduced. As new versions of the software are released, the aim should be to shrink the size of these guides over time by integrating their components as the default configuration of the product. 📌Considering User Experience: The user experience consequences of security settings must be considered. Ideally, the most secure setting should be integrated into the product by default, and when configuration is necessary, the default option should be secure against common threats. This approach reduces the cognitive burden on end users and ensures broad protection. 📌Removing Default Passwords: Default passwords should be eliminated entirely or, where necessary, be generated or set upon first install and then rotated periodically. This practice prevents the use of default passwords as an easy entry point for malicious actors. 📌Limiting Dynamic Code Execution: Dynamic code execution, while offering versatility, presents a vulnerable attack surface. Manufacturers should limit or remove the capability for dynamic code execution due to the high risk and the challenge of detecting associated indicators of compromise (IOCs). 📌Removing Hard-Coded Credentials: Applications and scripts containing hard-coded plaintext credentials pose a significant security risk. Removing such credentials is essential to prevent malicious actors from using them to access resources and expand their presence within a network.

Reclaiming Lost Ground: LOTL Attack Recovery When an organization detects a compromise, especially involving Living Off the Land (LOTL) tactics, it is critical to implement immediate defensive countermeasures. The Joint Guidance on Identifying and Mitigating LOTL Techniques outlines a comprehensive remediation strategy that organizations should follow to mitigate the impact of such incidents. Immediate Response Actions 📌Reset credentials for both privileged and non-privileged accounts within the trust boundary of each compromised account. 📌Force password resets and revoke and issue new certificates for all accounts and devices. Windows Environment Specific Actions: 📌If access to the Domain Controller (DC) or Active Directory (AD) is suspected, reset all local account passwords, including Guest, HelpAssistant, DefaultAccount, System, Administrator, and krbtgt. The krbtgt account, which handles Kerberos ticket requests, should be reset twice to ensure security due to its two-password history. 📌If the ntds.dit file is suspected to have been exfiltrated, reset all domain user passwords. 📌Review and adjust access policies, temporarily revoking or reducing privileges to contain affected accounts and devices. 📌 Reset Non-Elevated Account Credentials: If the threat actor's access is limited to non-elevated permissions, reset the relevant account credentials or access keys and monitor for further signs of unauthorized access, especially for administrative accounts. Network and Device Configuration Audit 📌 Audit Network Appliances and Edge Devices: Check for signs of unauthorized or malicious configuration changes. If changes are found: 📌Change all credentials used to manage network devices, including keys and strings securing network device functions. 📌Update all firmware and software to the latest versions. Remote Access Tool Usage 📌 Minimize and Control Remote Access: Follow best practices for securing remote access tools and protocols, including guidance on securing remote access software and using PowerShell securely.

The Digital Hunt: Tracking LOTL in Your Network - Part IV Detection and Response To detect and respond to such exploitation, it's crucial to understand the context of ntdsutil.exe activities and differentiate between legitimate administrative use and potential malicious exploitation. Key log sources and monitoring strategies include: 📌 Command-line and Process Creation Logs: Security logs (Event ID 4688) and Sysmon logs (Event ID 1) provide insights into the execution of ntdsutil.exe commands. Unusual or infrequent use of ntdsutil.exe for snapshot creation might indicate suspicious activity. 📌 File Creation and Access Logs: Monitoring file creation events (Sysmon’s Event ID 11) and attempts to access sensitive files like NTDS.dit (security logs with Event ID 4663) can offer additional context to the snapshot creation and access process. 📌 Privilege Use Logs: Event ID 4673 in security logs, indicating the use of privileged services, can signal potential misuse when correlated with the execution of ntdsutil.exe commands. 📌 Network Activity and Authentication Logs: These logs can provide context about concurrent remote connections or data transfers, potentially indicating data exfiltration attempts. Authentication logs are also crucial for identifying the executor of the ntdsutil.exe command and assessing whether the usage aligns with typical administrative behavior. Comprehensive Analysis of PSExec.exe in LOTL Tactics PSExec.exe, a component of the Microsoft PsTools suite, is a powerful utility for system administrators, offering the capability to remotely execute commands across networked systems, often with elevated SYSTEM privileges. Its versatility, however, also makes it a favored tool in Living Off the Land (LOTL) tactics employed by cyber threat actors. The Role of PSExec.exe in Cyber Threats PSExec.exe is commonly utilized for remote administration and the execution of processes across systems, such as execute one-off commands aimed at modifying system configurations, such as removing port proxy configurations on a remote host with commands like: "C:\pstools\psexec.exe" {REDACTED} -s cmd /c "cmd.exe /c netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=9999" Detection and Contextualization Strategies To effectively counter the malicious use of PSExec.exe, network defenders must leverage a variety of logs that provide insights into the execution of commands and the broader context of the operation: 📌 Command-line and Process Creation Logs: Security logs (Event ID 4688) and Sysmon logs (Event ID 1) are invaluable for tracking the execution of PSExec.exe and associated commands. These logs detail the command line used, shedding light on the process's nature and intent. 📌 Privilege Use and Explicit Credential Logs: Security logs (Event ID 4672) document instances where special privileges are assigned to new logons, crucial when PSExec is executed with the -s switch for SYSTEM privileges. Event ID 4648 captures explicit credential use, indicating when PSExec is run with specific user credentials. 📌 Sysmon Logs for Network Connections and Registry Changes: Sysmon's Event ID 3 logs network connections, central to PSExec’s remote execution functionality. Event IDs 12, 13, and 14 track registry changes, including deletions (Event ID 14) of registry keys associated with the executed Netsh command, providing evidence of modifications to the system's configuration. 📌 Windows Registry Audit Logs: If enabled, these logs record modifications to registry keys, offering detailed information such as the timestamp of changes, the account under which changes were made (often the SYSTEM account due to PSExec's -s switch), and the specific registry values altered or deleted. 📌 Network and Firewall Logs: Analysis of network traffic, especially SMB traffic characteristic of PSExec use, and firewall logs on the target system can reveal connections to administrative shares and changes to the system's network configuration. These logs can correlate with the timing of command execution providing further context

The Digital Hunt: Tracking LOTL in Your Network - Part III Integrating Logs with SIEM Systems Integrating Sysmon logs with Security Information and Event Management (SIEM) systems and applying correlation rules can significantly enhance the detection of advanced attack scenarios. This integration allows for the automation of the detection process and the application of analytics to identify complex patterns of malicious activity. Linux and macOS Considerations On Linux machines, enabling Auditd or Sysmon for Linux logging and integrating these logs with an SIEM platform can greatly improve the detection of anomalous activities. For macOS, utilizing tools like Santa, an open-source binary authorization system, can help monitor process executions and detect abnormal behavior by productivity applications Review Configurations Regularly reviewing and updating system configurations is essential to ensure that security measures remain effective against evolving threats. This includes verifying that logging settings are appropriately configured to capture relevant data and that security controls are aligned with current best practices. Organizations should also assess the use of allowlists and other access control mechanisms to prevent the misuse of legitimate tools by malicious actors. Regular reviews of host configurations against established baselines are essential for catching indicators of compromise (IOCs) that may not be reverted through regular group policy updates. This includes changes to installed software, firewall configurations, and updates to core files such as the Hosts file, which is used for DNS resolution. Such reviews can reveal discrepancies that signal unauthorized modifications or the presence of malicious software. 📌 Bypassing Standard Event Logs: Cyber threat actors have been known to bypass standard event logs by directly writing to the registry to register services and scheduled tasks. This method does not create standard system events, making it a stealthy way to establish persistence or execute tasks without triggering alerts. 📌 System Inventory Audits: Conducting regular system inventory audits is a proactive measure to catch adversary behavior that may have been missed by event logs, whether due to incorrect event capture or activities that occurred before logging enhancements were deployed. These audits help ensure that any changes to the system are authorized and accounted for. Behavioral Analysis Comparing activity against normal user behavior is key to detecting anomalies. Unusual behaviors to look out for include odd login hours, access outside of expected work schedules or holiday breaks, rapid succession or high volume of access attempts, unusual access paths, concurrent sign-ins from multiple locations, and instances of impossible time travel. NTDSUtil.exe and PSExec.exe Specific attention is given to detecting misuse of NTDSUtil.exe and PSExec.exe, tools that, while legitimate, are often leveraged by attackers for malicious purposes, such as attempts to dump credentials or move laterally across the network. By focusing on the behavioral context of these tools' usage, organizations can more effectively distinguish between legitimate and malicious activities. The Exploitation Process A common tactic involves creating a volume shadow copy of the system drive, typically using vssadmin.exe with commands like Create Shadow /for=C:. This action captures a snapshot of the system's current state, including the Active Directory database. Following this, ntdsutil.exe is employed to interact with this shadow copy through a specific command sequence (ntdsutil snapshot “activate instance ntds” create quit quit). The attackers then access the shadow copy to extract the ntds.dit file from a specified directory. This sequence aims to retrieve sensitive credentials, such as hashed passwords, from the Active Directory, enabling full domain compromise.