ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Living off the Land

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Living off the Land

NamesLiving off the Land
LOLBins
LOLBAS
CategoryTools
Description(Talos) Attackers' trends tend to come and go. But one popular technique we're seeing at this time is the use of living-off-the-land binaries — or 'LoLBins'. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we're seeing, there are binaries supplied by the victim's operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

(LOLBAS Project) The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

A LOLBin/Lib/Script must:

• Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
• Have extra 'unexpected' functionality. It is not interesting to document intended use cases.
o Exceptions are application whitelisting bypasses
• Have functionality that would be useful to an APT or red team

Interesting functionality can include:

• Executing code
o Arbitrary code execution
o Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
• Compiling code
• File operations
o Downloading
o Upload
o Copy
• Persistence
o Pass-through persistence utilizing existing LOLBin
o Persistence (e.g. hide data in ADS, execute at logon)
• UAC bypass
• Credential theft
• Dumping process memory
• Surveillance (e.g. keylogger, network trace)
• Log evasion/modification
• DLL side-loading/hijacking without being relocated elsewhere in the filesystem.
Information<https://github.com/LOLBAS-Project/LOLBAS>
<https://lolbas-project.github.io/>
<https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html>
<https://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/>
<https://www.darkreading.com/edge-articles/is-an-attacker-living-off-your-land->
<https://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels>
<https://pentera.io/blog/the-lol-isnt-so-funny-when-it-bites-you-in-the-bas/>
<https://www.darkreading.com/vulnerabilities-threats/as-lotl-attacks-evolve-so-must-defenses>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:lolbin>

Last change to this tool card: 06 September 2023

Download this tool card in JSON format

Previous: Little Pig
Next: Lizar

All groups using tool Living off the Land

ChangedNameCountryObserved

APT groups

     ↳ Subgroup: Scattered Spider[Unknown]2022-Jul 2024X
 AntlionChina2011 
 APT 20, Violin PandaChina2014-2017 
XAPT 29, Cozy Bear, The DukesRussia2008-Jun 2024X
XAPT 33, Elfin, MagnalliumIran2013-Apr 2024 
XAPT 41China2012-Aug 2024 HOTX
     ↳ Subgroup: Earth FreybugChina2012 
 AVIVOREChina2015 
 Berserk Bear, Dragonfly 2.0Russia2015-May 2017 
 BlackTech, Circuit Panda, Radio PandaChina2010-Oct 2020 
 Bronze HighlandChina2012-Jul 2024 
 Cadet BlizzardRussia2020-Jun 2024X
 CalypsoChina2016-Aug 2021 
 Chafer, APT 39Iran2014-Sep 2020X
 Comment Crew, APT 1China2006-May 2018X
 Dark Pink[Unknown]2022-Feb 2023 
 El Machete[Unknown]2010-Mar 2022 
 Emissary Panda, APT 27, LuckyMouse, Bronze UnionChina2010-Aug 2023 
 FIN6, Skeleton Spider[Unknown]2015-Oct 2021X
XFlax TyphoonChina2021-Nov 2023 
 FunnyDreamChina2018 
 Gallmaker[Unknown]2017 
 Gangnam Industrial Style[Unknown]2019 
 Goblin Panda, Cycldek, ConimesChina2013-Jun 2020 
 Gorgon GroupPakistan2017-Jul 2020 
 Honeybee[Unknown]2017 
 Hydrochasma[Unknown]2022 
 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-Late 2022 
XKimsuky, Velvet ChollimaNorth Korea2012-Sep 2024 HOTX
XLazarus Group, Hidden Cobra, Labyrinth ChollimaNorth Korea2007-Sep 2024 HOTX
 Leviathan, APT 40, TEMP.PeriscopeChina2013-Jul 2021X
 LightBasin[Unknown]2016 
 Lotus Blossom, Spring Dragon, ThripChina2012-Mar 2022 
     ↳ Subgroup: DEV-0270, Nemesis KittenIran2022-Nov 2023 
 MuddyWater, Seedworm, TEMP.Zagros, Static KittenIran2017-May 2024X
 Naikon, Lotus PandaChina2010-Apr 2022 
XOilRig, APT 34, Helix Kitten, ChryseneIran2014-Sep 2024 HOTX
 OPERA1ER[Unknown]2016-Jul 2023X
 Operation Silent Skimmer[Unknown]2022 
 Orangeworm[Unknown]2015-Jan 2020 
 PlatinumChina2009-Nov 2019 
 Sandworm Team, Iron Viking, Voodoo BearRussia2009-Mar 2024X
 Silence, Contract Crew[Unknown]2016-Aug 2022 
XSofacy, APT 28, Fancy Bear, SednitRussia2004-Sep 2024 HOTX
XStone Panda, APT 10, menuPassChina2006-Feb 2022X
 TA505, Graceful Spider, Gold EvergreenRussia2006-Nov 2022X
 TeleBotsRussia2015-Oct 2020X
 Temper Panda, admin@338China2014 
 Tonto Team, HartBeat, Karma PandaChina2009-Apr 2023 
 Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
 Turla, Waterbug, Venomous BearRussia1996-Dec 2023 
XVolt TyphoonChina2020-Jun 2024X
 Whitefly, Mofang[Unknown]2012-Jul 2018 
 WIRTE Group[Middle East]2018 

Other groups

 CoralRaiderVietnam2023-Feb 2024 
 Karakurt[Unknown]2021-Sep 2022 
 TA554[Unknown]2017 

57 groups listed (54 APT, 3 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents
Telephone +66 (0)2-123-1227
E-mail [email protected]