Understanding the Ins and Outs of Living off the Land Binaries
How installed local system tools can be used against you and how to protect yourself
Living off-the-land binaries, or “LOLBins,” are not dangerous in nature, but when exploited by cyber criminals, they can wreak havoc on your systems. LOLBins are local tools installed as part of your operating system. We all have them, and we all use them. It is precisely because we all have them, and they are in everything, which makes them prime targets for utilization and exploitation by cyber criminals. Attackers who’ve compromised the system use these LOLBins to avoid downloading additional tools and be able to evade detections. Criminals also use them because most security products or alerts have difficulty discerning malicious vs. legitimate uses. Kevin Lo, an Anvilogic threat researcher, describes criminals’ use of LOLBins as this analogy. A robber breaks into your house and uses one of your kitchen knives to rob you. In this case, the knife is the LOLBins, as it was already in your home for different use and the robber is the cyber criminal.
When LOLBins Attack
Our weekly threat report often has posts about threat groups or malware that use LOLBins to avoid detection. In January 2022 a new malware, Whispergate, was using LOLBin memory codes to perform anti-analysis techniques, initiating an array of activities such as disabling and deleting Windows Defender along with additional destructive capabilities. In late November of 2021, the WIRTE group utilized living-off-the-land techniques to evade detection and use attack chains involving a phishing campaign to distribute malicious documents. When executed, a VBS script would write an embedded PowerShell command and create persistence in the registry. These are two of the many examples from our threat reports of how these groups are currently using LOLBins for criminal gain.
What the Experts are saying
Luckily, both analysts, researchers, and chief information security officers (CISO/CSO) are always watching and trying to adapt to these LOLBin threats. In our webinar, where we talked to Senior Manager of Security Operations at Rubrik, Matt Johnston, he thinks we’ve learned over the years when hunting for adversaries and they have gotten very good at hiding in the noise and using living off the land common tools and resources within our environments to use against us. Matt says the game has shifted. The right way to think of it now is to look for behaviors as just a data source. It’s up to us to figure out what we know from this perspective on the environment, and what we know from another perspective to help answer a couple of questions or give a couple of indicators.
How do we Fight Back?
So how can you help fight against infected LOLBins? Security HQ says the first step would be to ensure that your cyber workforce is well equipped with the knowledge and understanding of the behavior and its impact. The second step is to employ a tool that can detect malicious behavior such as an endpoint detection and response solution installed across the network to aid in detecting and analyzing potentially malicious code being executed on systems regardless of whether it’s trusted or not.
A Helpful Tool from Anvilogic
Another helpful tool to defend against infected LOLBins is our Anvilogic Threat Identifiers. For example, one alert triggering rundll32 is “noisy,” causing security analysts to “waste” time trying to discern through the noise, what is actually a legitimate vs. malicious use. Threat identifiers are single identifiers of potentially malicious activity, in this case, rundll32, being executed. An analyst can use the Anvilogic platform to build a sequence based on research to alert suspicious pairings of malicious activity, called a threat scenario in the platform.
Speaking of threat scenarios, check out our newest post where we discuss how the Conti Leaks emphasizes the need for detection based on threat behaviors and how to better understand and help identify specific security activities of interest.
Did getting the lowdown on LOLBins peak your cyber security interest?
There are a lot more like this post in our blog series. While you are over there, why not check out our collection of webinars, where we talk shop with some of the best in the business. And, don’t forget to sign up for our weekly threat report to keep up to date, with the latest cyber threats, news, reports, and active notifications of relevant threats to harden your security posture.