Using Automation to Hunt for the Elusive LOLBAS – Source: securityboulevard.com

Researchers at cybersecurity vendor Pentera knew that the attack method known as LOLBAS over the past few years has become an increasingly popular tool used by hackers to compromise systems and networks.

LOLBAS – or living-off-the-land-binaries-and-scripts – involves using binaries and scripts that already are part of the targeted systems to launch attacks, which “makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities,” Nir Chako, senior security researcher with Pentera, wrote in a blog post outlining the findings in a recent report.

“Since LOLBAS are one of the growing trends in cyber-security attacks and they are also very hard for security solutions to detect, we set out to find new official LOLBAS,” Chako wrote.

He oversaw a project at Pentera to find more LOLBAS in Microsoft’s Office suite. LOLBAS are signed files that are native to Windows or downloaded from Microsoft. Over four weeks, the researchers detected 12 new LOLBAS files – downloaders and executors – that security professionals need to know about and protect against.

Hackers for years have been using living-of-the-land (LOTL) techniques, using existing tools already on the systems or networks they target to launch cyberattacks. In recent years, that’s evolved to include binaries and scripts that are already part of the system.

In the report, Chako noted that operators deploying the QakBot botnet used WScript.exe to execute JavaScript-based malware to evade detection. An attack against Ukraine’s security service used MSHTA.exe to execute a malicious HTML application. The open-source LOLBAS project is an effort to document every binary, script, and library that bad actors can use for LOTL techniques and the maintainers continue to add to it.

Automating the Search

For Pentera, finding new LOLBAS wasn’t going to be easy. The researchers decided to take the method laid out five years ago by Oddver Moe, the founder of the LOLBAS project: list all the binaries and try them out one by one. Windows has more than 3,000 binary files, such a manual search wasn’t practical.

Instead, they built an automated system.

“The automated solution needs to list all the binaries, and then go over them one-by-one to and try to trigger a potential downloader,” he wrote. “To do so, we ran the simplest command structure that could initiate a download from an HTTP server.”

It had two parts: the path of a potential downloader and a URL to download the file from.

“Then, the tools need to receive feedback on the download attempt,” he wrote. “This part includes an HTTP server, like the one we used in the manual approach. The HTTP server log records provide an indication about the file download attempt.”

With the automated system, the researchers found six new downloaders (to go along with the three found before using a manual method), with the nine total being a 30% increase of what was listed in the LOLBAS project.

They then found three executors.

Go On the Offensive

Chako wrote that the hope is that Pentera’s work will encourage red and purple teams and security researchers to be more proactive when addressing the threat from LOLBAS and work to discover new files.

“Hackers will always try to find a way to abuse legitimate tools on your systems and use them against you,” he wrote. “LOLBAS continues to be relevant in cyber attacks due to its ability to remain undetected. Its effectiveness lies in leveraging legitimate and built-in system tools to carry out malicious activities, making it challenging for security solutions to detect it.”

Others agreed with Chako. LOLBAS pose an even more significant threat than living-of-the-land methods, which are fileless attacks usually associated with standard utilities used by Windows admins, including PowerShell and WMI, according to Phil Neray, vice president of cyber-defense strategy at cybersecurity vendor CardinalOps.

Using LOLBAS is an innovative approach because it leverages binaries and scripts that are pre-installed with Office and Windows and not typically run by humans,” Neray told Security Boulevard. “This makes it much easier for these attacks to fly under the radar. Detecting them will require machine learning that figures out how to spot suspicious activity such as the use of unusual URLs from which to download files.”

James Lively, endpoint security research specialist at security firm Tanium, said improving security tools also make techniques like LOLBAS attractive to hackers.

“As security measures and protections mature across the industry, it’s much harder to use tools that provide stealth capabilities,” Lively told Security Boulevard. “A lot of times using stealth capabilities makes them stand out even more. In today’s world, it’s much harder to detect malicious activity when using legitimate tools and blending in with the noise.”