Control OS Utilities on Your Endpoints before Adversaries Hurt You with Them

Living off the land (LOL) malware techniques, which represent roughly 35% of enterprise attacks, use legitimate operating system (OS) utilities already on targeted hosts to breach enterprises. If they were simply removed, the remaining attack surface would be radically reduced. Unfortunately, doing so can severely impact your IT/Sec-Ops, users, applications, and the OS itself. Detection-based defenses (e.g., EDR) struggle mightily with these LOL malware techniques. This blog post provides non-technical folk an introduction to this challenge, including high-level pros and cons of some remedies.

Blog summary:

  • Detection-based endpoint protection against LOL attacks often fails
  • Can’t live with them (LOLbins); Can’t live without them (OS Utilities)
  • Prohibit OS Utilities or Allow LOLbins? There are Middle Options
  • Script Engines: if Prohibiting is Unacceptable, what then?
  • Maintenance Windows can be Problematic for Small Organizations
  • Pros/Cons of LOLbin Attack Surface Reduction Options
  • AppGuard Reduces LOLbin Risks, Gives IT/Sec-Ops Flexibility
  • More on AppGuard Mitigating Risks from OS Utilities Yet Affording IT/Sec-Ops Flexibility

Detection-based Endpoint Protection against LOL Attacks often Fails

LOL attacks often evade other detection defenses, such as signature and heuristic. Behavioral detection-based defenses (a.k.a., EDR) reliably identify simple LOL techniques and swiftly react to them. These are high statistical confidence matches. However, EDR is fooled by LOL techniques mimicking legitimate workflows, operating in memory only, and/or introducing time-delays between attack stages so one stage is not associated with another to form a pattern. These represent statistical confidence matches too low for automated response and require costly human expertise to investigate and respond. Behavioral detection is certainly an improvement for the roughly 40% of enterprises that have adopted it.

Can’t Live with them (LOLbins); Can’t Live without them (OS Utilities)

In Windows, disabling WMI would cripple the OS. End-users that must run macros and scripts via Microsoft Office would be impacted if select OS utilities were prohibited. Most IT/Sec-Ops personnel depend on PowerShell. However, cyber defenders refer to these useful OS utilities as “LOLbins”, which cyber adversaries weaponize against the enterprise.

Prohibit OS Utilities or Allow LOLbins? There are Middle Options 

Symantec reported an observation that 80% of OS utility usage was legitimate. Completely prohibiting OS utilities clearly impacts legitimate operations. Not restricting them at all allows the other 20% of observed usage as LOLbins that harm the enterprise. 

Generally, the enterprise needs options in between ‘allow all’ and ‘prohibit all’ such as:

  • Restrict use to demonstrably trustworthy uses when needed
  • Restrict allowed actions when in use

Blocking OS utility post-launch actions significantly reduces attack surface but does not completely eliminate risk. Prohibiting a utility is safest. However, when security and operation needs disagree, these ‘in-between’ options are best.

The following bullets in this sub-section might not interest you but would appeal to your tech people:

  • Allow select Apps and their child processes to use select OS utilities
  • Temporarily suspend some or all controls under specific circumstances

For restricting OS utility post-launch actions after they start running, controls should block: 

  • Read/write sensitive folders or registry keys
  • Read/write memory of other Apps
  • Launch of high-risk Apps (or none at all)

Script Engines: if Prohibiting is Unacceptable, what then?

Script engines such as PowerShell, CMD, WMI, Visual Basic, Bash/shell, Python, PHP, and others are the Swiss Army knives of OS utilities. They can do just about anything. To do so, they need to ingest instructions that can either be entered into a user interface or read from a script file. Adversaries routinely use script engines to perform malicious actions. 

Enterprises that reduce the attack surface from script engines prohibit them from running (selectively or always) and/or deny script engines read access to script files in high-risk folders. The latter is far more common than the former. 

As for “in-between'' options, some enterprises use OS settings to limit what script engines can do. We believe less than 1% of enterprises have and use Application Control tools to limit what actions script engines can do, such as perform write operations into sensitive folders, registry keys, or the memory of other applications. Some such tools can also restrict what OS utilities that script engines can launch. 

Maintenance Windows can be Problematic for Small Organizations

IT/Sec-Ops use maintenance windows to make major changes to endpoints, usually while protections are disabled to avoid interference. These allow IT/Sec-Ops to use any OS utility to do whatever. Large organizations often have sufficient redundancy to accommodate taking servers offline; smaller ones often do not. Laptops and desktops pose additional challenges. Some attack surface reduction tools allow OS utility use without disabling all controls. Some can temporarily disable all protection controls on-demand (i.e., discrete triggers). Be sure your IT/Sec-Ops people consider their use-cases when selecting such tools. 

Pros/Cons of LOLbin Attack Surface Reduction Options

Using OS Settings
  • Many valuable possibilities
  • More fine-grained controls than other options
  • Adversaries can alter/delete settings
Application Control Tools
  • On/off prohibitions
  • Cannot control or are too difficult to control once LOLbins are running
  • Onerous tool to deploy and maintain; low enterprise adoption
Isolation/Containment Tools
  • Few tools are available that restrict LOLbin actions
  • Not all tools accommodate legitimate operations (App update, patch, plug-ins, conditional LOLbin use, etc.) without maintenance windows
EDR/EPP Tools
  • Terminate LOLbins IF malicious behavior is recognized
  • Some attacks disable EDR
  • Non-detection capabilities, if used, tend to require maintenance windows to allow system changes
  • Reacting to LOLbin attacks often requires manual remediation

AppGuard Reduces LOLbin Risks, Gives IT/Sec-Ops Flexibility

AppGuard can selectively and conditionally prohibit OS utilities (a.k.a., LOLbins) so users and IT/Sec-Ops can use them when needed but adversaries cannot. 

As for “in-between” options, AppGuard can apply containment policies to script engines or other OS utilities that limit what they can do instead of prohibiting them entirely. Additionally, if your IT/Sec-Ops are using OS settings to limit the actions of OS utilities, AppGuard can apply isolation policies to them so adversaries cannot alter them. If there are use-cases where AppGuard policies allow select IT/Sec-Ops tools to do whatever they want are not flexible enough, AppGuard provides ways for IT/Sec-Ops and power users to temporarily disable protections to make system changes.

AppGuard is an excellent complement to EDR/EPP tools. They do what they do best: detect what can be detected. AppGuard blocks attacks for which detection-pattern data does not yet exist in the cyber community. Instead of looking for bad behavior, AppGuard allows only good behavior. AppGuard does so by compartmentalizing endpoints with launch, containment, and isolation controls. Metaphorically, imagine that malware is a car that must drive from point A to point B along a zig-zag path passing through different neighborhoods (i.e., legitimate applications and OS utilities). AppGuard would be the concrete barriers and gates that do not allow the malware car to get to point B. Malware is blocked without having to recognize it. EPP/EDR tools only succeed if and when attacks are recognized, making AppGuard an excellent complement. 

More on AppGuard Mitigating Risks from OS Utilities Yet Affording IT/Sec-Ops Flexibility

Selective OS Utility Prohibition
  • AppGuard policy prohibits select OS utilities
  • AppGuard policy can designate exceptions where specified Apps can use prohibited OS utilities, these exceptions can be inherited by child processes to simplify policy and administration
  • Example: IT-Ops used SCCM to run PowerShell script for 10 minutes on all laptops. In this window, one user opens a weaponized document that tries and fails to use PowerShell
  • Example: a1.exe is designated an exception, but a2.exe and a3.exe are not; a1.exe launches a2.exe, which launches a3.exe. Both a2.exe and a3.exe inherit from a1.exe; they can all run prohibited OS utilities
Conditional Suspension of Protections
  • AppGuard provides administrators and designated Apps means to temporarily suspend protections in different ways to accommodate different situations
  • Example: xyz.exe App can be designated in policy to suspend protections, perform major system changes, and then re-enable protections, which might last seconds or minutes instead of an entire maintenance window of hours
Containment of OS Utilities
  • When prohibiting is too disruptive, AppGuard can apply containment policies that restrict what OS utilities can do
  • Containment policies restrict read/write operations for up to six dimensions: file, registry, memory, child processes, process privilege, and communication
  • Example: cscript.exe and wscript.exe containment blocks malware technique actions but user documents and files that require Visual Basic work as needed 
Isolation of OS Settings
  • AppGuard isolation rules prevent adversaries from altering OS settings that IT/Sec-Ops personnel set to lockdown computers
  • Example: registry ‘Run’ keys cannot be altered to trigger scripts or executables at host startup; only select Apps and their child processes (if desired) can do so