Prevent attackers from using legitimate tools against you

Malicious actors are increasingly exploiting legitimate tools to accomplish their goals, which include disabling security measures, lateral movement, and transferring files. Using commonly available tools allows attackers to evade detection.

While custom-built tools or malware can be flagged as malicious by endpoint products, commercially available tools are often marked as clean or allow-listed by organizations. This gives attackers carte blanche to perform their activities without being noticed, as their attacks can be mistaken as part of any day-to-day operations, like IT admin work.

The relative ease with which attackers can weaponize organizations’ own software lies in the fact that IT and security personnel commonly authorize these tools in standard environments.

Third-party tools, their components, and built-in Windows tools are fair game

Tools such as GMER, PC Hunter, ProcessHacker and Defender Control, which are not inherently malicious, have been used in multiple attacks to disable or uninstall security products.

In addition, we have seen these tools in hands-on attacks, especially with ones leading to ransomware deployment. For example, my team analyzed a recent case when the actors used GMER and PC Hunter for defense evasion to deploy Play ransomware in an organization’s systems.

There have also been multiple recent cases reported where attackers are only using a component of these tools, e.g., abusable driver files of Process Explorer to disable the EDR agents.

There are also legitimate tools used for audit, AD enumeration and password recovery that attackers conveniently use to perform reconnaissance or credential dumping.

The practice of network scanning is essential for upholding network security. It involves identifying and discovering potential weaknesses and security gaps within a network to prevent unauthorized access or surveillance. However, while tools like Angry IP Scanner, Advanced Port Scanner, and Nmap enable organizations to detect and address these vulnerabilities, attackers also utilize them to seek out and exploit weaknesses.

Lately, actors have been using remote monitoring and management (RMM) software to gain access to or maintain persistence in the systems. According to our team’s telemetry, this includes commonly used RMM software such as ConnectWise Control (formerly ScreenConnect), AnyDesk, Atera and Syncro. However, attackers are fully aware that defenders monitor for these known RMMs and are continually looking for alternate options.

There was recently a case where Action1 and SimpleHelp RMM was abused to deploy ransomware.

It’s not just third-party tools that are being abused either. Attackers also try to kill or stop processes using built-in Windows processes such as taskkill or the net stop command to stop processes related to backup, which may potentially halt ransomware operations.

Attackers can use legitimate binaries or tools that are part of operating systems to carry out malicious activities. These binaries are often referred to as LOLBins (“Living off the Land Binaries”). Some commonly used LOLBins are WMIC, PowerShell, Microsoft HTA engine (mshta.exe), and certutil. LOLBins can be used to conduct a variety of actions, such as running malicious code, performing file operations like downloading, uploading, and copying files, and stealing passwords.

Keep up your guard and gain a good understanding of what you have

As time passes, we will no doubt see attackers get increasingly creative with how they abuse legitimate tools, and AI will no doubt play a huge role in helping defenders detect and contain these attacks.

But what remedial actions can you and your organization take now?

• Create and keep an up-to-date list of your organization’s software inventory based on business and operational requirements and ensure they are continuously monitored. Any existing tools not deemed necessary should be evaluated for removal
• Restrict the usage of tools that can help attackers exploit systems. If an employee wants to use these tools, their use should be approved for a limited duration (via application control policies)
• Discover and record the baseline (usual) activity on the workstations; abnormal usage of such tools should be flagged. For example, the sudden appearance and use of multiple admin tools should raise suspicions
• Use regularly patched and updated tools to prevent potential vulnerabilities in these software applications from being exploited for malicious purposes.