Overview of TIR-20210313
This report spotlights three recently reported Azure Living-off-the-land binaries (LoLBins) that could be used by attackers to evade detection while escalating privileges and performing other malicious activities on a targeted network. Because of the threat posed by an attacker accessing these legitimate tools, it is critical that admins take the appropriate precautionary actions to ensure that any unauthorized account access or process manipulation is quickly detected and mitigated.
Tactics, Techniques, and Procedures
Living-off-the-land binaries (LoLBins) are legitimate tools that can be utilized by a threat actor to evade detection while performing malicious activities such as downloading or executing malicious code. Because of this, it is important to take appropriate security measures to ensure that these legitimate processes are not hijacked.
Security Researcher, Ram Pliskin stated:
“The usage of LoLBins is frequently seen, mostly combined with fileless attacks, where attacker payloads surreptitiously persist within the memory of compromised processes and perform a wide range of malicious activities. Together with the use of legitimate LoLBins, attackers’ activities are more likely to remain undetected.”
Microsoft reported that they have observed the following Azure LoLBins being used by threat actors:
- Custom Script Extension
The Custom Script Extension is used for downloading and executing scripts on Azure Virtual Machines. This extension is commonly used for post-deployment configuration and management tasks. In the observed cases of abuse, this software was used to fetch an executable to mine cryptocurrency.
- VMAccess Extension
The VM Access extension can be used to manage administrative accounts, RDP service configurations and SSH keys. It also provides recovery features such as resetting the administrative password of a virtual machine (VM). This is one of the most accessible extensions listed due to the user interface (UI) that is accessible from the Azure Portal. After initial access, the utilization of the VMAccess Extension could be used for privilege escalation and further unauthorized actions on services and user accounts.
- Anti-Malware extension for Windows
Microsoft Antimalware Extension for Windows is a background tool used to detect and take action on malicious software. Security researchers stated that if the Anti-Malware extension were accessed by an attacker, it could be used to disable security protection to perform malicious activities without being detected.
One of the best ways to reduce the risks of unauthorized manipulation of legitimate processes is to implement the Principle of least privilege (POLP). Ensure that only the minimum access needed for necessary tasks is granted to all entities. By carefully adjusting access controls, the opportunity for threat actors to laterally move through your network will be limited. Having predetermined access controls in place will help shorten the gap between the introduction and detection of suspicious activity.
“To mitigate Azure LoLBins usage, you should follow the least privilege principle to ensure that anyone who wants to perform a given task using VM extensions meets the minimum required access.
“A least privilege model for the cloud relies on the ability to continuously adjust access controls,” Pliskin added. “We recommend monitoring all access events and establish a decision-making framework that distinguishes between legitimate and excessive permissions.
Business Unit Impact
- Could result in an attacker gaining access to company assets and the exfiltration of sensitive company data.
Windows Finger command is rarely used in modern business environments. Because of this, it is suggested that administrators block finger.exe on their network, if it is not needed for legitimate business use. The implementation of employee security awareness training is also recommended to reduce the threat of a phishing attack.
- Microsoft Security Blog:
- Bleeping Computer:
- Custom Script Extension for Windows:
- Microsoft Antimalware Extension for Windows:
- Virtual machine extensions and features for Windows:
MITRE ATT&CK Techniques:
- Signed Binary Proxy Execution (T1218): https://attack.mitre.org/techniques/T1218/
- Phishing (T1566): https://attack.mitre.org/techniques/T1566/
- File and Directory Discovery (T1083): https://attack.mitre.org/techniques/T1083/
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.