Earlier time, cybercriminals depend more on the malware files, scripts, VBscripts to achieve their course of action. Modern ay cyber threat actors, depends more on abusing the genuine windows system files and achieve their goal in persistence, defense evasion, lateral movement and more.

In every system, there are Trusted Binaries, Scripts and Library files are available for the purpose of system communications. But cybercriminals use this genuine utility in such a way where the defense systems fail to stop this behavior. These binaries, scripts, and libraries cannot be blocked since they are valid and might leads to system crash if they are deleted.

Attackers can be using these utilities to perform; Code execution, downloading files Bypassing UAC, Compiling code, Process dumping, Keylogging, Log evading, Hijacking of DLL, persistence, pass-through execution.

Motive of abusing LOLBins make it possible for attackers to bypass defensive countermeasures such as application whitelisting, security monitoring, and antivirus software with a reduced chance of being detected.

The goal of the attacker in most times, to blend into systems to avoid raising red alarms in SOC and give themselves more time to move laterally in the network, condut actions, steal data. PowerShell and WMI are far from the only trusted applications with the potential for abuse, however recently researchers found more binaries which can be abused for the attack purpose.

“Living off the land” was coined by Matt Graeber & Oddvar Moe and the main intension of this project is to understand what binaries were the attackers abuse to carry out malicious activities.

  • LOLBins – Living Off The Land Binaries
  • LOLScripts – Living Off The Land Scripts
  • LOLLibs – Living Off The Land Libraries
  • GTFOBins – Unix Platform Binaries

Why it is critical?

Security Researcher Pierre-Alexandre Braeken pointed out, “Traditional antivirus or even endpoint detection and response (EDR) products won’t always be able to detect this kind of attack. And if they do but the analysts are not aware of this, they could miss a threat happening in their network.”

Let’s see an example:

Certutil.exe” is a command-line program that is installed as part of Certificate Services. You can use Certutil.exe to dump and display certification authority (CA) configuration information, configure Certificate Services, backup and restore CA components, and verify certificates, key pairs, and certificate chains.

Attackers POV: Certutil is a great little binary that can download remote files, create certificates, or encode files. Not only can this built-in exe encode a file to base64, It can also encode into hex. When encoding to b64, it includes the certificate header and footer, which one may find convincing.


Conclusion

We are seeing many APT threat actors are using LOLBins for their activity. Mitre ATT&CK already having some functionality details and this project requires more contribution towards finding more new binaries using by threat actors. So the threat hunting teams and the SOC teams should understand the LOLBins and GTFOBins.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Bhuvanesh Prabhakaran is a CyberSec enthusiast, Blogger, Author, Security Writer at GBHackers on security. [Working 8hours as a Security Operation Center - L3 Incident Handler. ] [Contributing 16hours as a Cyber Security Defense Strategist | Sharing Knowledge on various branches of CyberSec | Proactively creating models/infographic for Cyber Incidents and Remediations | Areas of Interest: Cyber Threat Hunting | Cyber Threat Intelligence OSINT | Cyber Kill Defense Strategies | APT Defense Mechanisms | Malware Attribute Research | Trending Cyber Attacks and their operational behaviors.] [Active on Peerlyst | LinkedIn | Gbhackers | PulseDrive | OtxAlienVault | App.Any.Run.]