LOLBins, or “Living Off the Land Binaries,” are legitimate tools within operating systems like Windows and macOS that can be exploited by cyberattackers for malicious purposes. They pose a significant threat due to their stealthy nature, making detection challenging. Understanding their usage can help in identifying and mitigating potential attacks. Affected Platform: Windows, macOS
Keypoints :
- LOLBins are pre-installed system tools that can be used maliciously.
- They allow attackers to perform actions like data exfiltration and privilege escalation.
- Detection of LOLBin attacks is challenging due to their legitimate uses.
- Understanding normal usage patterns of these tools can help identify malicious activities.
- Common LOLBins include net.exe, cmd.exe, and PowerShell.
- Fileless malware often relies on LOLBins to execute malicious code.
MITRE Techniques :
- TA0001 – Initial Access: Utilizing LOLBins to gain access to systems.
- TA0002 – Execution: Using net.exe to create user accounts for unauthorized access.
- TA0003 – Persistence: Employing LOLBins for maintaining access to systems.
- TA0004 – Privilege Escalation: Leveraging tools like cmd.exe to escalate privileges.
- TA0005 – Defense Evasion: Using legitimate tools to evade detection by security software.
Indicator of Compromise :
- [file name] net.exe
- [file name] cmd.exe
- [file name] PowerShell
- [file name] rundll32
- [file name] regsvr32
- Check the article for all found IoCs.
Full Research: https://huntress.com/blog/detecting-malicious-use-of-lolbins
Views: 0