Names | Living off the Land LOLBins LOLBAS | |
Category | Tools | |
Description | (Talos) Attackers' trends tend to come and go. But one popular technique we're seeing at this time is the use of living-off-the-land binaries — or 'LoLBins'. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases. Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we're seeing, there are binaries supplied by the victim's operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers. (LOLBAS Project) The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques. A LOLBin/Lib/Script must: • Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft. • Have extra 'unexpected' functionality. It is not interesting to document intended use cases. o Exceptions are application whitelisting bypasses • Have functionality that would be useful to an APT or red team Interesting functionality can include: • Executing code o Arbitrary code execution o Pass-through execution of other programs (unsigned) or scripts (via a LOLBin) • Compiling code • File operations o Downloading o Upload o Copy • Persistence o Pass-through persistence utilizing existing LOLBin o Persistence (e.g. hide data in ADS, execute at logon) • UAC bypass • Credential theft • Dumping process memory • Surveillance (e.g. keylogger, network trace) • Log evasion/modification • DLL side-loading/hijacking without being relocated elsewhere in the filesystem. | |
Information | <https://github.com/LOLBAS-Project/LOLBAS> <https://lolbas-project.github.io/> <https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html> <https://www.microsoft.com/security/blog/2021/03/09/azure-lolbins-protecting-against-the-dual-use-of-virtual-machine-extensions/> <https://www.darkreading.com/edge-articles/is-an-attacker-living-off-your-land-> <https://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels> <https://pentera.io/blog/the-lol-isnt-so-funny-when-it-bites-you-in-the-bas/> <https://www.darkreading.com/vulnerabilities-threats/as-lotl-attacks-evolve-so-must-defenses> | |
AlienVault OTX | <https://otx.alienvault.com/browse/pulses?q=tag:lolbin> |
Last change to this tool card: 06 September 2023
Download this tool card in JSON format
57 groups listed (54 APT, 3 other, 0 unknown)
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |