Have you ever heard the phrase “the enemy is within”? Well, that’s exactly what Living Off the Land Binary (LOLBins) is all about. They’re like the wolf in sheep’s clothing that hides in plain sight as innocent-looking files on your computer but are used by hackers to carry out malicious attacks. It’s a sneaky tactic and one that can cause serious harm to your personal or professional data.
However, don’t worry. Understanding LOLBins doesn’t have to be complicated. It’s like learning to spot a pickpocket in a crowded street – once you know what to look for, you can protect yourself and your assets. So if you want to stay one step ahead of cyber criminals and keep your information safe, it’s time to get familiar with LOLBins.
What are LOLbins?
LOLbin, in full, Living Off the Land Binary is a term coined by malware researchers Christopher Campbell and Matt Greaber. It is meant to explain using the trusted, pre-installed system tools to spread malware and carry out their work. LOLBin is a term that refers to executables that are a part of the operating system (OS) and can be exploited to support an attack.
This concept can extend the use of libraries, scripts, and software, including the Living-off-the-Land Binaries, Scripts, and Libraries (LOLBAS). Living-off-the-Land (LOLs) are legitimate utilities, such as the previously well-known Windows programs powershell.exe, bitsadmin.exe, certutil.exe, and psexec.exe. Some examples of LOLbins include Command line, Windows Management Instrumentation, and Powershell.
Image Credit: blog.talosintelligence.com
Different threat actors use LoLBins in combination with fileless malware and reliable cloud services to increase their chances of evading detection inside a company, typically during post-exploitation assault phases. In addition to LOLBins, which employ Windows binaries to conceal harmful activities, LOLbins, which use libraries, and LOLScripts, which use scripts, there are several other sorts of LOL methods.
Nevertheless, executables uploaded by users for lawful purposes may be misused as a LOLBin, especially if they are a component of a widespread or frequently used installation of third-party software. Whether the executable is present on the system before the malware attack is more important than the LOLBin’s place of origin in explaining it.
How Can Attackers Use LolBins?
Generally, attackers can use LOLbins to:
- Download and install malicious code
- Execute malicious code
- Bypass UAC
- Bypass application control such as Windows Defender Application Control (WDAC)
Attackers might be able to target other utilities, which are often pre-installed by system manufacturers and might be found during reconnaissance. These executables may be signed utilities like updaters, configuration software, and third-party drivers.
LOLbins usage is often combined with legitimate cloud services such as GitHub, Pastebin, Amazon S3 storage, and cloud drives like Dropbox, Box, and Google Drive. By leveraging legitimate cloud services for malicious code storage, command and control (C2) infrastructure, and data exfiltration, attackers’ operations are more likely to go unnoticed because the generated traffic is identical to that generated by uncompromised systems.
How Do Attackers Use LOLBins In Fileless Attacks?
Although there is some misunderstanding about what exactly qualifies an assault as “fileless,” there has been an increase in fileless attacks in recent years. Such attacks may still be launched using documents like email attachments, and they may still leave behind files like persistence agents. However, what differentiates them from file-based attacks is that the code is executed in memory.
Fileless malware is a malware type that exists as a memory-based artifact with no or minimum activity written to the hard drive. The primary concept behind a fileless attack is that code execution occurs in memory instead of by launching a process that runs code compiled from a source file. This fileless malware doesn’t install malicious software, making it difficult for regular AV tools to detect.
As a result, a system cannot be scanned for malicious binaries or executable files to find the attack. Furthermore, incident responders and threat hunters may not be able to find much or any evidence of the attack after a reboot has cleared memory.
Image Credit: sidechannel.blog
The payload may then employ various LOLBins, such as WMI (Windows Management Instrumentation), to run code that enables persistence, opens a backdoor, or connects to a C2 server to exfiltrate data other things. Attacks that use files may be paired with other dangers like ransomware and keyloggers.
Why are Security Researchers Concerned about LOLbins?
LOLBins present an issue since they are a legitimate component of the environment that can be forced to carry out the threat actors’ tasks. Of course, some LOLBins, like PowerShell, are well-known and may be restricted or shut down to prevent abuse. However, it’s impractical to keep track of every legitimate executable on the system and its capabilities and whether or not it might be used maliciously.
Operating systems have many integrated binaries that are always being updated or added to with new functionality and a huge number of widely-used third-party software in the enterprise setting whose full functionality may not be documented.
Security practitioners are constantly researching to find new or unknown LOLBins before attackers do. But, even if it is located, there is still the issue of how to handle the usage of that legitimate tool to ensure it is being used solely for that purpose.
How to Detect and Mitigate the Use of LOLbins
Image Credit: res.armor.com
LOLbins are sophisticated threats; detection needs advanced tools since they can remain undetected.
Although automated security solutions such as firewalls, Endpoint Detection and Response (EDR), and antivirus products can detect many malicious activities and attacks, only a threat intelligence team using a proactive approach can uncover some techniques and malicious behavior patterns. For instance, living off land binaries (LOLbins) executions that use legitimate tools for malicious purposes might need a human eye to get the best results.
It is difficult for security controls that don’t monitor process behavior to protect against the abuse of LOLbins combined with fileless code. The parent-child relationship of the launched processes and anomalies in network activity of processes not normally linked with network communication can be used to detect misuse. It is recommended that organizations configure their systems for centralized logging so that threat-hunting teams can perform additional analytics.
Finding and stopping this malicious activity is tricky. To prevent non-root users from running these commands, mitigation techniques based on MITRE ATT&CK guidelines include using AppLocker methods or controlling permissions. This would involve determining what services from HR to IT are and are not essential to the specific operation.
What’s Next after Detection?
You should keep in mind that LOLBins use binaries that are local to the computer. This means that these processes are easily detectable. The idea is to focus on the process behavior as opposed to its origins and be aware that certain processes and application behaviors should be avoided. It is also a fantastic approach to test your knowledge of common actions of these services. It will assist you in detecting unusual behavior.
Ensure your threat intelligence team is well-equipped with the knowledge and understanding of this behavior and its impact. Next, employ a tool to detect malicious activity, such as an EDR solution installed across the network. This would help to detect and analyze potentially malicious code getting executed on systems regardless if it’s trusted it not.
Conclusion on LOLbins
Image Credit: threatpost.com
In today’s digital age, cybersecurity is more important than ever. Living Off the Land Binary (LOLBins) may sound like a technical term, but understanding what they are and how they can be used is crucial in keeping yourself and your data safe from cyber-attacks. It’s like knowing how to lock your doors and windows at night – a basic precaution that can make all the difference in protecting your home.
So whether you’re a casual computer user or a cybersecurity professional, learning about LOLBins is a smart investment in your digital security. Keep in mind that the best defense is a good offense, and with knowledge about LOLBins on your side, you’ll be well-equipped to stay ahead of the game.