Oct 02, 2019 Jason Keogh

LOLBAS attack: prevention is easier than a cure

zombie attack

Fear the walking dead. Update on the recent vulnerability that’s putting you at risk.

Zombie Attack.” “Malware that can’t be detected.” There’s a lot of hype at the moment about Nodersok/Divergent and other LOLBAS (Living Off the Land Binaries and Scripts) relatives.

These bad guys use existing, normal, “good” software such as PowerShell to do bad things. Bad things like turning your PC into a “Zombie” bot. Preventing these variants, all of their predecessors and all future LOLBAS malware which leverages PowerShell, Command Prompt, RDP and other such “good” technology is simple. Stop Powershell, cmd, RDP, etc. from running.

Therein lies the rub.

IT Security and IT Operations teams are often at odds. IT Operations can’t disable PowerShell everywhere. Likewise, RDP, and most of the other technologies targeted by the malware creators. The reason they can’t disable the technologies is that IT teams use them to maintain the machines in their care.

So, there is a simple technological approach to eliminating the risk. However, IT Operations are not willing to make the changes required. IT Security understands the reasons why. But the lack of desire and ability in IT Operations to minimize the risk causes friction between the departments.

IT Operations typically don’t really have an issue with disabling PowerShell, RDP, etc.

The issue with being unable to start and use the technologies when they need them – especially if there is an emergency and rapid response is required. The tools used to “Blacklist” and block binaries and protocols in the typical IT teams arsenal are simply not “Real-Time” tools. They are too slow to provide the level of control needed. Actually, many of them rely on PowerShell and other attack vectors to run!

Take Noderstok as a current example.

In one part of its execution, it uses PowerShell to try to disable Windows Defender. Default Guaranteed State functionality in 1E Tachyon would alert when this happens.  It will react to something trying to stop Defender (and can auto-restart the same) – but… going one step further, customers can implement the latest “Blacklisting” functionality in Tachyon to Blacklist PowerShell. Tachyon Blacklisting brings several advantages to this scenario:

  1. PowerShell can be enabled in real-time, so that authorized users can run PowerShell as and when needed – enabling and disabling it at will, for any online device, even those not running on the corporate network or connected via VPN.
  2. PowerShell scripts can be added as “Resources” to Tachyon instructions. Once bundled in this way, they can still be run, on-demand, through Tachyon – by authorized users, against the devices they are allowed to control.
  3. PowerShell access can be scheduled so that a named user can run PowerShell on specified devices from a specified time for a specific time period.

You can apply the same approaches to command prompt access, RDP, and privilege escalation in general. All with full audit-logging.

There is a practical, implementable way to massively reduce the risk of being the victim of a previously unknown vulnerability, or a LOLBAS attack – now that you know about it, are you willing to take the next step and try it out?

To ensure you’re practicing proper security hygiene, download the full eBook now.