The automated solution needs to list all the binaries, and then go over them one-by-one to try to trigger a potential downloader. Therefore, we decided to build an automated solution, Since Windows OS contains more than 3,000 executable files, running them manually is not a practical approach. Within two hours, we found three(!) new LOLBAS downloaders from the Microsoft Office suite. We initiated an HTTP server that will give an indication about a successful download attempt.Įach time we executed a binary with a URL as the argument we waited for a GET request in the HTTP server, which means that the triggered binary wanted to GET something from the HTTP server, i.e trying to download a file.Īfter finding the LOLBAS download trigger, it’s easy to find the location of the downloaded files by tracking the downloader with ProcMon. We tried to run the executables with a URL to download a file from as the argument. We listed all the binaries in the Office suite installation folder. Starting specifically by looking for new LOLBAS downloaders from the Microsoft Office suite. Oddvar is the founder of the official open-source LOLBAS project. On our quest to find new LOLBAS, we started by using Oddvar Moe’s approach. To read a more in-depth explanation of the process, as well as our proposed framework for LOLBAS identification, you can read the entire research paper here. In this blog post, we’ll show how we found 12 new LOLBAS that security professionals should protect against. Since LOLBAS are one of the growing trends in cyber-security attacks and they are also very hard for security solutions to detect, we set out to find new official LOLBAS. This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities. LOLBAS (Living Off the Land Binaries And Scripts) is an attack method that uses binaries and scripts that are already part of the system for malicious purposes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |