How to prevent attackers from using Windows against you

Attackers use standard Microsoft components such as DLLs or PowerShell to avoid detection. These tips will make such "living off the land" attacks harder to execute.

A hacker attacks from within a Windows system.
AlphaSpirit / Getty Images

One of the topics covered In a recent RSA Conference presentation was how attackers are using the victims’ own Windows operating system against them to avoid detection. This concept of “living off the land” (LotL) — the use of binaries, DLLs and other computer code that is already on our system — makes it harder to protect our systems.

These binaries are either default to the Microsoft operating system or downloaded from the Microsoft download site. The binary can also have interesting or unintended functionality such as persistence, User Account Control (UAC) bypass, credential theft or other techniques that would be significant to attackers. You can review the potential attacks and uses of the binaries listed on the LOLBQW site.

For example, attackers can use the command rpcping to capture credentials. They can send a remote procedure call (RPC) test connection to the target server (-s) and force the NT LAN Manager (NTLM) hash to be sent in the process. The command rpcping -s -e 1234 -a privacy -u NTLM allows the attacker to harvest the hash of a password.

Another example that is often used in attacks is a tool used to protect and patch systems. Background Intelligent Transfer Service (BITS) is used by Microsoft to deliver and manage the updating process. Attackers use BITS to transfer malicious files, create alternative data streams, or copy and execute files.

Preventing living-off-the-land attacks

How can you defend from this? Those in larger organizations that have security teams can use their red and blue team resources. Normally, the red team emulates attackers to determine identify flaws or weaknesses in systems. The blue team defends against attackers and to improve the company’s security settings and posture.

Your firm should then use purple teams that blend the resources of the blue and red teams to help train everyone to be aware of attack sequences. This coordination between the two teams allows the firm to be better aware of attacks and get appropriate alerts.

Next, the judicious use of application whitelisting is key to help prevent LotL attacks. Windows 10 AppLocker is available for Windows 10 enterprise and can be set up to only allow those applications you wish to run.

Just like with UAC, which is a means to train application developers to stop demanding local administration rights, the locking down the operating system to where you run only approved binaries is a goal many strive for, but not all can get there.

PowerShell is another tool on the operating system that attackers can abuse. To protect yourself from malicious PowerShell scripts, first set your PowerShell execution policy to allow only signed scripts. Follow these steps to set the Group Policy to control PowerShell:

  1. Go to “Computer Configuration”.
  2. Go to “Policies”.
  3. Go to “Administrative Templates” and then “Windows Components”.
  4. Go to “Windows PowerShell” and look for a setting called “Turn on Script Execution”.
  5. Turn on “Enabled” and choose “Allow only signed scripts”.
bradley lotl 1 Susan Bradley

Set PowerShell for Signed Scripts only

Also set the policies for Module Logging, PowerShell Script Block Logging and PowerShell Transcription to gain increased fidelity in what occurs during execution. Review logging after you have used PowerShell in your environment so you can review what is normal.

bradley lotl 2 Susan Bradley

Set logging for Enabled

Many security sites recommend that you remove PowerShell from systems when not needed, but I feel that you should do so only as a last resort and on systems with which you won’t need to interact after they have been deployed. Removing PowerShell completely from a system impacts your ability to administer and control systems.

Rather I’d urge you to take a page out of the Microsoft recommendations for securing PowerShell:

  • Deploy PowerShell v5.1 (or newer), built into Windows 10. Alternatively, you can deploy the Windows Management Framework, available down to and including Windows 7 and Windows Server 2008r2.
  • Enable and collect PowerShell logs, optionally including Protected Event Logging. Incorporate these logs into your signatures, hunting, and incident response workflows.
  • Implement Just Enough Administration on high-value systems to eliminate or reduce unconstrained administrative access to those systems.
  • Deploy Device Guard/Application Control policies to allow pre-approved administrative tasks to use the full capability of the PowerShell language, while limiting interactive and unapproved use to a limited subset of the PowerShell language.
  • Deploy Windows 10 to give your antivirus provider full access to all content (including content generated or de-obfuscated at runtime) processed by Windows Scripting Hosts including PowerShell.

Just Enough Administration is a security technology that enables delegated administration for anything managed by PowerShell.

Finally, consider upgrading to Windows 10 E5 or Microsoft 365 E5, which includes Windows Defender Advanced Threat Protection. ATP gives you the ability to review activities on the system to determine what is normal and what is not. Make no mistake, understanding what an operating system is doing can be difficult to determine.

bradley lotl 3 Susan Bradley

ATP view of the operating system

Take the time to understand what is normal on your systems and in your network. It will go a long way to protect your systems.

As always, sign up for TechTalk, IDG’s new YouTube channel for tech news of the day.

Copyright © 2020 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.