ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Living off the Land

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Living off the Land

NamesLiving off the Land
LOLBins
LOLBAS
CategoryTools
Description(Talos) Attackers' trends tend to come and go. But one popular technique we're seeing at this time is the use of living-off-the-land binaries — or 'LoLBins'. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we're seeing, there are binaries supplied by the victim's operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

(LOLBAS Project) The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

A LOLBin/Lib/Script must:

• Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
• Have extra 'unexpected' functionality. It is not interesting to document intended use cases.
o Exceptions are application whitelisting bypasses
• Have functionality that would be useful to an APT or red team

Interesting functionality can include:

• Executing code
o Arbitrary code execution
o Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
• Compiling code
• File operations
o Downloading
o Upload
o Copy
• Persistence
o Pass-through persistence utilizing existing LOLBin
o Persistence (e.g. hide data in ADS, execute at logon)
• UAC bypass
• Credential theft
• Dumping process memory
• Surveillance (e.g. keylogger, network trace)
• Log evasion/modification
• DLL side-loading/hijacking without being relocated elsewhere in the filesystem.
Information<https://github.com/LOLBAS-Project/LOLBAS>
<https://lolbas-project.github.io/>
<https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html>
<https://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/>
<https://www.darkreading.com/edge-articles/is-an-attacker-living-off-your-land->
<https://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels>
<https://pentera.io/blog/the-lol-isnt-so-funny-when-it-bites-you-in-the-bas/>
<https://www.darkreading.com/vulnerabilities-threats/as-lotl-attacks-evolve-so-must-defenses>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:lolbin>

Last change to this tool card: 06 September 2023

Download this tool card in JSON format

All groups using tool Living off the Land

ChangedNameCountryObserved

APT groups

X    ↳ Subgroup: Scattered Spider[Unknown]2022-Sep 2023 
 AntlionChina2011 
XAPT 20, Violin PandaChina2014-2017 
XAPT 29, Cozy Bear, The DukesRussia2008-Jan 2024 HOTX
XAPT 33, Elfin, MagnalliumIran2013-Nov 2023 
XAPT 41China2012-Feb 2023X
 AVIVOREChina2015 
 Berserk Bear, Dragonfly 2.0Russia2015-May 2017 
XBlackTech, Circuit Panda, Radio PandaChina2010-Oct 2020 
XBronze HighlandChina2012-Sep 2023 
XCadet BlizzardRussia2020-Jan 2022 
 CalypsoChina2016-Aug 2021 
XChafer, APT 39Iran2014-Sep 2020X
 Comment Crew, APT 1China2006-May 2018X
XDark Pink[Unknown]2022-Feb 2023 
 El Machete[Unknown]2010-Mar 2022 
XEmissary Panda, APT 27, LuckyMouse, Bronze UnionChina2010-Aug 2023 
 FIN6, Skeleton Spider[Unknown]2015-Oct 2021X
 Flax TyphoonChina2021 
 FunnyDreamChina2018 
 Gallmaker[Unknown]2017 
 Gangnam Industrial Style[Unknown]2019 
 Goblin Panda, Cycldek, ConimesChina2013-Jun 2020 
XGorgon GroupPakistan2017-Jul 2020 
 Honeybee[Unknown]2017 
 Hydrochasma[Unknown]2022 
XKe3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-Late 2022 
XKimsuky, Velvet ChollimaNorth Korea2012-Mar 2024 HOTX
XLazarus Group, Hidden Cobra, Labyrinth ChollimaNorth Korea2007-Feb 2024 HOTX
 Leviathan, APT 40, TEMP.PeriscopeChina2013-Jul 2021X
XLightBasin[Unknown]2016 
XLotus Blossom, Spring Dragon, ThripChina2012-Mar 2022 
X    ↳ Subgroup: DEV-0270, Nemesis KittenIran2022-Nov 2023 
XMuddyWater, Seedworm, TEMP.Zagros, Static KittenIran2017-Nov 2023X
 Naikon, Lotus PandaChina2010-Apr 2022 
XOilRig, APT 34, Helix Kitten, ChryseneIran2014-Aug 2023X
 OPERA1ER[Unknown]2016-Jul 2023X
 Operation Silent Skimmer[Unknown]2022 
 Orangeworm[Unknown]2015-Jan 2020 
 PlatinumChina2009-Nov 2019 
XSandworm Team, Iron Viking, Voodoo BearRussia2009-May 2023X
 Silence, Contract Crew[Unknown]2016-Aug 2022 
XSofacy, APT 28, Fancy Bear, SednitRussia2004-Feb 2024 HOTX
XStone Panda, APT 10, menuPassChina2006-Feb 2022X
 TA505, Graceful Spider, Gold EvergreenRussia2006-Nov 2022X
 TeleBotsRussia2015-Oct 2020X
 Temper Panda, admin@338China2014 
 Tonto Team, HartBeat, Karma PandaChina2009-Apr 2023 
 Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
XTurla, Waterbug, Venomous BearRussia1996-Dec 2023 HOT 
XVolt TyphoonChina2020-Dec 2023 HOTX
 Whitefly, Mofang[Unknown]2012-Jul 2018 
XWIRTE Group[Middle East]2018 

Other groups

 Karakurt[Unknown]2021-Sep 2022 
 TA554[Unknown]2017 

55 groups listed (53 APT, 2 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]