LOLBAS in the Wild: 11 Living-Off-The-Land Binaries That Could Be Used for Malicious Purposes

LOLBAS

Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts (LOLBAS) that could be maliciously abused by threat actors to conduct post-exploitation activities.

“LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes,” Pentera security researcher Nir Chako said. “This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities.”

To that end, the Israeli cybersecurity company said it uncovered nine LOLBAS downloaders and three executors that could enable adversaries to download and execute “more robust malware” on infected hosts.

This includes: MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe.

“In a complete attack chain, a hacker will use a LOLBAS downloader to download more robust malware,” Chako said. “Then, they will try to execute it in a stealthy way. LOLBAS executors allow attackers to execute their malicious tools as part of a legitimate looking process tree on the system.”

LOLBAS

That said, Pentera noted that attackers could also use other executables from software outside of those related to Microsoft to achieve similar goals.

The findings come as Vectra disclosed a potential new attack vector that leverages Microsoft Entra ID (previously Azure Active Directory) cross-tenant synchronization (CTS) feature to facilitate lateral movement to other tenants assuming a privileged identity has already been compromised in the cloud environment.

Binaries and Scripts

“An attacker operating in a compromised environment can exploit an existing CTS configuration tenant to move laterally from one tenant to another connected tenant,” the company said. Alternatively, “an attacker operating in a compromised tenant can deploy a rogue Cross Tenant Access configuration to maintain persistent access.”



Original Source



A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

 To keep up to date follow us on the below channels.