Earlier time, cybercriminals depend more on the malware files, scripts, VBscripts to achieve their course of action. Modern ay cyber threat
In every system, there are Trusted Binaries, Scripts and Library files are available for the purpose of system communications. But cybercriminals use this genuine utility in such a way where the defense systems fail to stop this behavior. These binaries, scripts, and libraries cannot be blocked since they are valid and might leads to system crash if they are deleted.
Attackers can be using these utilities to perform; Code execution, downloading files Bypassing UAC, Compiling
The goal of the attacker in most times, to blend into systems to avoid raising red alarms in SOC and give themselves more time to move laterally in the network,
“Living off the land” was coined by Matt Graeber & Oddvar Moe and the main intension of this project is to understand what binaries were the attackers abuse to carry out malicious activities.
- LOLBins – Living Off The Land Binaries
- LOLScripts – Living Off The Land Scripts
- LOLLibs – Living Off The Land Libraries
- GTFOBins – Unix Platform Binaries
Why it is critical?
Security Researcher Pierre-Alexandre Braeken pointed out, “Traditional antivirus or even endpoint detection and response (EDR) products won’t always be able to detect this kind of attack. And if they do but the analysts are not aware of this, they could miss a threat happening in their network.”
Let’s see an example:
“Certutil.exe” is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.
Attackers POV: Certutil is a great little binary that can download remote files, create certificates, or encode files. Not only can this built-in exe encode a file to base64, It can also encode into hex. When encoding to b64, it includes the certificate header and footer, which one may find convincing.
Conclusion
We are seeing many APT threat actors are using LOLBins for their activity. Mitre ATT&CK already having some functionality details and this project requires more contribution towards finding more new binaries using by threat actors. So the threat hunting teams and the
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.