Environment

• Carbon Black Cloud
  • Endpoint Standard
• Carbon Black Cloud Windows Sensor: All Supported Versions
• Microsoft Windows: All Supported Versions

Question

Answer

• Threat actors perform Living off the land (LotL) attacks when they leverage legitimate executables such as administrative and third-party tools to perform detrimental actions against an individual or an organization.
• Many times those administrative tools are already present in the target machine, which makes the attack exponentially easy to accomplish.
• As a lot of these tools have been signed by Microsoft or third-party reputable software vendors, it makes it challenging to prevent their execution.
• As such, Carbon Black recommends restricting the execution of the binaries and scripts listed below by only those roles that absolutely require them to perform their daily operations:

Typically exploited

**\arp.exe
**\bcdedit.exe
**\bitsadmin.exe
**\cdb.exe
**\certutil.exe
**\cmdkey.exe
**\cmstp.exe
**\msbuild.exe
**\msbuild.dll
**\mshta.exe
**\msiexec.exe
**\dllhost.exe
**\dnscmd.exe
**\forfiles.exe
**\gpscript.exe
**\icacls.exe
**\installutil.exe
**\net.exe
**\net1.exe
**\netscan.exe
**\nircmd.exe
**\ntdsutil.exe
**\ntvdm.exe
**\odbcconf.exe
**\openwith.exe
**\powershell*.exe
**\powershell.exe
**\psexec.exe
**\psexesvc.exe
**\pwsh.exe
**\pcalua.exe
**\regedit.exe
**\regedt32.exe
**\regsvr32.exe
**\sc.exe
**\scriptrunner.exe
**\spoolsv.exe
**\sysinfo.exe
**\system.management.automation.dll
**\takeown.exe
**\taskkill.exe
**\vssadmin.exe 
**\wbadmin.exe ← May affect backup software
**\wevtutil.exe
**\whoami.exe
**\winrm.exe
**\wmic.exe
**\wmiprvse.exe

Script interpreters and compilers

**\autoit3.exe
**\cmder.exe
**\conhost.exe ← restrict with caution
**\cacls.exe
**\csc.exe
**\cscript.exe
**\csrss.exe
**\java.exe
**\javaw.exe
**\javaws.exe
**\jsc.exe
**\lua.exe
**\mofcomp.exe
**\node.exe
**\perl.exe
**\pester.bat
**\pypy.exe
**\python.exe
**\pythonw.exe
**\regasm.exe
**\ruby.exe
**\rubyw.exe
**\tcc.exe
**\vbc.exe
**\wscript.exe

Third-party exfiltration tools and encryptors

**\7z*.exe ← May require careful testing as 7zip is widely used by users
**\aescrypt.exe
**\gpg.exe
**\nsudo.exe
**\megasync.exe
**\paexec.exe
**\rclone.exe

**\curl.exe
**\wget.exe

• Limiting execution from temporary directories (%temp%), user's application data (%appdata%) directories, as well as Windows's Public (C:\Users\Public) subfolders will further mitigate attacks
• Unless absolutely required, block SMB listening services and ports (445, 137, 138, and 139) at the host/client level will help prevent lateral movement, see How Carbon Black Cloud Host-based Firewall Works for further information
• It is best security practice not to expose SMB, RDP or other services to the open internet, consult your perimeter firewall vendor for configuration steps and recommendations
• Legacy operating systems should be decommissioned, in those rare cases where end-of-life OSs are required to conduct business, they should be isolated from the rest of the production machines
• Implement a regular cadence for security updates and patches, including rebooting as often restarting the endpoints is required for kernel patches to take effect
• Ensure deploying the latest Carbon Black Cloud sensor as newer versions leverage advanced prevention rules after proper vetting
• Restricting the execution of these binaries should be part of a multi-layer security posture and not the only way to prevent them, particularly when attackers often rename these binaries

Additional Notes

• Carbon Black strongly recommends testing prior to rolling out rules into production. Unless extensive testing is performed prior to blocking LotL binaries and scripts, deploying these restrictive rules into production may break the operations of maintenance, administrative, backup software, etc
• Restricting execution of LotL binaries may generate a higher number of alerts
• Following the "Defense in Depth" principle, system administrators should leverage the built in sensor functionality, such as the host-based firewall, IDS, LiveQuery to retrieve unwanted ports open, watchlists, such as "Living Off The Land Drivers", Vulnerability and Risk Evaluation, and consider adding a robust Application Control layer alongside XDR.

Related Content