LOLBAS in the Wild: 11 Living-Off-The-Land Binaries Used for Malicious Purposes
Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts (LOLBAS) that could be maliciously abused by threat actors to conduct post-exploitation activities.
“LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes,” Pentera security researcher Nir Chako said. “This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities.”
To that end, the Israeli cybersecurity company said it uncovered nine LOLBAS downloaders and three executors that could enable adversaries to download and execute “more robust malware” on infected hosts.
This includes: MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe.
“In a complete attack chain, a hacker will use a LOLBAS downloader to download more robust malware,” Chako said. “Then, they will try to execute it in a stealthy way. LOLBAS executors allow attackers to execute their malicious tools as part of a legitimate looking process tree on the system.”
That said, Pentera noted that attackers could also use other executables from software outside of those related to Microsoft to achieve similar goals.
The findings come as Vectra disclosed a potential new attack vector that leverages Microsoft Entra ID (previously Azure Active Directory) cross-tenant synchronization (CTS) feature to facilitate lateral movement to other tenants assuming a privileged identity has already been compromised in the cloud environment.
“An attacker operating in a compromised environment can exploit an existing CTS configuration tenant to move laterally from one tenant to another connected tenant,” the company said. Alternatively, “an attacker operating in a compromised tenant can deploy a rogue Cross Tenant Access configuration to maintain persistent access.”