The acronym LOLBAS stands for a method that misuses existing programs on a computer, for example, programs of the operating system, for malicious functions, or for malware. The LOLBAS project collects information about usable binaries, scripts, or libraries and makes them publicly available on the Internet. Defending against such attacks on computers can be difficult.
What is LOLBAS (Living Off The Land Binaries And Scripts)?
LOLBAS is the abbreviation for “Living Off The Land Binaries And Scripts” and stands for a method of attack on computers. “Living Off The Land” literally means “feeding off nature” and describes the method quite well. Living Off The Land Binaries And Scripts are executable files, scripts, or libraries that already exist on a computer, are provided by the operating system itself, or come from trusted sources.
They can be misused for certain malicious functions. Malware code uses the resources “naturally” present on a computer, such as programs signed by a vendor or by the operating system.
The term “Living Of The Land” was coined by Christopher Campbell and Matt Graeber. The malicious activities often go undetected due to the LOL concept, as the executing programs are regular pre-installed system tools and applications. For example, Living Off The Land Binaries And Scripts can be used to download files, compile program codes, perform file operations or steal credentials undetected. On Windows systems, for example, powershell.exe or rundll32.exe are often misused.
The LOLBAS project initiated by Oddvar Moe exists on the Internet. It provides information about binaries, scripts, and libraries that can be used, for example, by a Red team as part of penetration tests.
The goal of the open-source project is to document all scripts, binaries, and libraries that can be used for the Living-Off-The-Land method. If certain binaries, scripts, or libraries meet the project’s requirements, the information is published on the Internet. A searchable list of LOLBins, LOLLibs, and LOLScripts is available. The project can be accessed via the link https://lolbas-project.github.io.
Criteria for LOLBAS scripts, libraries, and binaries.
To be considered relevant to the Living Off The Land Binaries And Scripts project, the scripts, libraries, or binaries must be present on the system by default or installable through trusted software vendors or open-source sources. In addition, they must provide unexpected functions that can be repurposed for attack purposes. Such functions include:
- Executing program code or scripts
- Compiling program code
- Bypassing user account control
- Reading network traffic or user activity
- Side-loading or hijacking DLLs
- Process memory dumping
- Reading login credentials
- File operations like file downloads and uploads
Protection against LOLBAS attacks
Protection against LOLBAS attacks is difficult. Because the executing programs are tools internal to the operating system or software from trusted sources, the malicious actions often go undetected by standard antivirus and antimalware programs. Special precautions must be taken for protection. In some cases, these must be implemented by the operating system or by the software manufacturers themselves.
In addition, advanced, intelligent protection solutions can be used, which start at different points of the system to be monitored. For example, network traffic and the behavior of various processes are continuously monitored to identify anomalies.