Understanding Living-off-the-Land binaries and scripts (LOLBAS)

Of the many attack vectors and techniques today’s organizations face, few are more inconspicuous than Living-off-the-Land attacks. These in-memory attacks leverage existing binaries, scripts, or tools within an operating system to carry out malicious activities. As a result, LOLBAS attacks can go unnoticed because they blend in with legitimate system activities and leave little to no artifacts.

Digging deeper into LOLBAS

The driving force behind LOLBAS is the misuse of existing, legitimate binaries and scripts. Because they are already installed as part of an operating system, attackers can use them to evade traditional security defenses and avoid raising suspicion. This makes LOLBAS attacks incredibly nefarious as they can go unnoticed indefinitely without the right solution set in place.

Examples of LOLBAS

The LOLBAS Project is a repository specifically dedicated to identifying binaries and scripts that can be exploited and how to do so. Although this does show attackers how they can target a system, they also help defenders create protections against them as well. Here are a few examples from the LOLBAS Project:

• Certutil.exe: This Windows command line utility normally manages certificates and other cryptographical functions. Attackers can exploit it to obfuscate or encode files to avoid being detected by traditional security software.
• Bitsadmin.exe: Another Windows command-line utility, this bygone tool allowed admins to optimize Windows Update downloads back when processing speeds were low, and memory was scarce. Now, the tool isn’t necessary but remains in Windows OS, which means attackers can use it to surreptitiously download files as if they are part of usual updates.
• Vshadow.exe: A third-party executable usually associated with the Volume Shadow Copy Service (VSS) in Windows, Vshadow can secretly copy entire drives. Although these shadow copies are usually intended for backups, attackers can steal entire databases of information without leaving a trace.

A live look into LOLBAS

In this demo, you can see how LOLBAS attacks are carried out in the wild. The demo assumes that an attacker has already breached a system and leverages LOLBAS-based tactics to further exploit the system.

Defending against LOLBAS

As previously stated, LOLBAS attacks are effective at circumventing traditional security software to go undetected. Thankfully, with a next-gen security platform like Todyl, IT and security teams can effectively detect and prevent LOLBAS attacks.

Bringing in the human element

Traditional endpoint and antivirus solutions have difficulty detecting LOLBAS attacks because the events they generate mimic legitimate system and admin activities. To combat this, Todyl uses behavior-based analytics built into our Endpoint Security solution to identify these activities as potentially anomalous. We have multiple managed, prebuilt detections that leverage behavior analytics to identify Certutil, Bitsadmin, VShadow and other similar LOLBAS-driven attacks.

The Todyl Managed eXtended Detection and Response (MXDR) team manually investigates these events as well, determining the context behind the behavior and if there’s associated malicious activity as well. Through Todyl, the MXDR team automatically stops the process(es) if deemed malicious, and works with you to address the system in question to remediate the issue.

Watch the entire MXDR presentation above to learn more about LOLBAS from our experts, and how you can use Todyl and our MXDR service to prevent attacks.

Not a Todyl partner? Click here to book a demo and learn more about our Endpoint Security and MXDR modules, as well as the rest of the Todyl Security Platform. 

‍