LOLBins / LOLBas
What are LOLBins?
Contrary to unpopular belief. LOLBins are not shorthand for laughing bins.
LOLBins is the abbreviated term for Living Off the Land Binaries. Living Off the Land Binaries are binaries of a non-malicious nature, local to the operating system, that have been utilised and exploited by cyber criminals and crime groups to camouflage their malicious activity.
Initially, LOLBins were commonly used in a post-exploitation basis, to gain persistence or escalate privileges. However, the local system binaries or the preinstalled tools on a machine are now being used to bypass detection and aid in malware delivery. Which means that malicious actors can use these LOLBins to achieve their goals, without relying on specific code or files.
LOLBins are often Microsoft signed binaries. Such as Certutil, Windows Management Instrumentation Command-line (WMIC). They can be used for a range of attacks, including executing code, to performing file operations (downloading, uploading, copying, etc.), to stealing passwords.
TA505 - APT
The Cybercrime group by the name of TA505, for instance, have used LOLBins in the past to bypass windows detection and deliver their ServHelper malware via a spear phishing campaign targeting Brazilian entities.
The group were able to make a connection to their command-and-control server using the msiexec.exe binary being executed by a macro in Microsoft Excel to download the 1st stage of payload.
See the image below from Bleeping Computer.
CertUtil.exe
The Certutil binary is a great way to demonstrate the use of LOLBins in malware delivery.
First, let’s get into what Certificate Authorities (CA’s) are.
CAs are known as the Certificate Authority that act as a trusted third-party that issues certificates that contain information about the private key, which corresponds to the relevant public key.
Certutil is a command-line utility that can be used to manipulate certificate services on Windows machines. And, more importantly, it’s local to the system. It enables users to verify, encode, decode, and download files. This function (or similar) can be exploited by attackers to mimic actions like those of a network admin, trying to troubleshoot or make changes to system configurations.
The typical flow of getting a malicious file onto a user’s machine using Certutil will utilise the URL-cache and decode options from Certutil.
1. Actor encodes malicious doc with base64.
2. Uses Certutil URL cache to download from C2 server.
3. Uses Certutil decode to decode the file from base64 and output to a specified file type.
Examples
This technique will bypass detection from the system security by encoding the content in the file in base64. Certutil can now be used to decode the malicious file locally.
Hacked. Now you have a malicious file on your system sat undetected. Cool, right?
Detection and Mitigation
Finding and stopping this behaviour is tricky.
Mitigation tactics based on MITRE ATT&CK recommendations are to employ AppLocker mechanisms or managing permissions to prevent non-root users running these commands. This would involve nailing what services are and aren’t necessary to the specific operation, be it anything from HR to IT.
However, there is a fine balance to be had with whitelisting, you don’t want to disrupt day-to-day operations, but you don’t want to keep everything free flowing!
Final thoughts
It's important to remember that LOLBins are using binaries LOCAL to the machine. This means processes can be detected easily. The key is worrying and being cautions about the process behaviour instead of its origin.
It is also a good way to test your knowledge on common behaviours of these services! Useful for detecting abnormal activity on the host.
The workforce should be well-equipped with the knowledge and understanding of this abnormal behaviour and the impact it can have to a host and/or the network.
Employing a tool that can detect malicious behaviour such as an EDR solution installed across the network will certainly aid the team with detection of potentially malicious code being executed on systems regardless of if it is trusted or not.