Living of the land means to use resources that are already on the machine, as opposed to bringing external or homemade tools to the target device for example. The LOTL technique uses native tools which can make intrusion detection difficult as they leave minimal footprints and often are considered trusted.
These native binaries can be used to break out of restricted shells and here are some examples that exist for both Unix (GTFOBins) and for Windows (LOLBAS).
I had previously seen how replacing utilman.exe with cmd.exe could grant administrator level command prompt from outside Windows before and in a similar fashion the video showed another replacement action. Grzegorz example that John is covering in the video shows how the native program tpmtool spawns cmd.exe which in turn calls for logman.exe in an unsafe way. The way this is executed is similar to "binary planting" and "DLL hijacking", the computer is simply tricked to execute something else than intended.
This is how he demonstrated the technique:
With Procmon64 actively gathering information about processes the command line tool "tpmtool drivertracing stop" was then run in cmd which resulted in an error. He then filtered out results for tpmtool which he was investigating and ran the command in cmd again. By doing this he could see that the tpmtool opens another cmd.exe window in a "process create" operation.
Another filter for cmd.exe was also applied, which showed both a process create and process start, that according to the event properties starts yet another program in cmd, named logman and it is this program that could theoretically be replaced with something else.
The reason why this exploit works is because logman.exe has no directory specified, you are essentially telling the computer to see if there is a program with that name where it is currently looking. If another exe-file is placed in the working directory of the initial cmd ("C:\Users\username") and is renamed to logman.exe, then the next time "tpmtool drivertracing stop" runs in cmd it calls on the fake logman.exe file.
For more information on how to use Process Monitor, I have written another post covering some basics here.
No comments:
Post a Comment