What Are LOLBINS/LOLBAS?
Living Off the Land Binaries and Scripts (LOLBAS) is a technique used by adversaries and red teamers alike to abuse, misuse and execute malicious payloads on target. This is a great open source project of known binaries which provide resources to adversaries. The perk of these LOLBAS tools and executables is that they are built-in to the Operating System, and are typically signed by Microsoft. These allow adversaries to evade EDRs and other security tooling. We will look at several examples, and detections to improve security and make living off the land more difficult for would-be attackers. The five techniques shown below are easy to test with SCYTHE and provide a baseline for LOLBAS detections.
Rundll32.exe is built into Windows operating systems. It allows a normal, unprivileged user to execute DLLs by providing the path to the DLL and EntryPoint to the function. This can be found by clicking Download Campaign Client in the Campaign View of SCYTHE.
The default entrypoint for the campaign is AbsoluteClientMain. This can be executed from a PpowerSshell or Windows Command Promptcmd prompt by running the following command.
Regsrv32.exe is also built into every version of Windows. It allows normal, unprivileged users to register and unregister DLLs. In order to execute this, the DLL EentryPpoint must be named ‘DllRegisterServer’. Similar to the previous technique, theThis EntryPoint can be found by clicking Download Campaign Client in the Campaign View of SCYTHE. Since the EntryPoint needs to be changed to ‘DllRegisterServer’, it can be copied and pasted over the default.
- Sigma: Windows Suspicious Regsvr32 Anomalies
- Sigma: Sysmon Regsvr32 Network Activity
- Sigma: DNS Query RegSvr32 Network Activity
- Sigma: Win Suspicious RegSvr32 Flags Anomaly
- Sigma: Sysmon Suspicious CLR Logs
ConHost.exe is built into every version of Windows. It allows normal, unprivileged users to execute a malicious payload as a child process of conhost.exe. There is nothing specifically needed on SCYTHE’s side to use this command. You can download the 32-bit32bit or 64-bit executable file fromfilePE from the SCYTHE server and execute it as follows.
- Sigma: Process Creation Windows Suspicious ConHost
Forfiles.exe is built into Windows. It allows normal, unprivileged users to execute a malicious executable file as a part of batch-processing large amounts of data. This is created as a child process of forfiles. There is nothing specifically needed on SCYTHE’s side to use this command. You can download the 32-bit or 64-bit executable from the SCYTHE server and execute it as follows.
forfiles /p c:\windows\system32 /m notepad.exe /c c:\path\to\scythe.exe
- Sigma: Windows Indirect Command
Last, but certainly not least is Mavinject.exe. This legitimate Windows binary is used to inject DLLs into running processes. It can be used by adversaries to inject malicious payloads into legitimate running processes. In order to execute this, the DLL EntryPoint must be named ‘DllMain’. The menu to change the EntryPoint can be found by clicking Download Campaign Client in the Campaign View of SCYTHE.
mavinject.exe PID /INJECTRUNNING /path/to/scythe.dll
These five examples of LOLBAS techniques are great for providing new or veteran purple teams with coverage of popular execution methods, as well as SIGMA detections for them. By monitoring and detecting these LOLBAS techniques, you increase the level of the Pyramid of Pain for would be adversaries. These LOLBAS detections can be modified to your environment with tools such as Uncoder.
This blog post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email firstname.lastname@example.org, visit https://scythe.io, or follow on Twitter @scythe_io.