#lolbas — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #lolbas, aggregated by home.social.
-
«Легитимное зло» в инфраструктуре: практический опыт детектирования LOLBAS
Привет, Хабр! Меня зовут Максим Кишмерешкин, я ведущий аналитик центра мониторинга и реагирования «Инфосистемы Джет». Сегодня мы поговорим про довольно старую, но до сих пор остающуюся популярной тему — LOTL. Напомню, что LOTL (living on the land), или как я его называю «жизнь на подножном корме» — это использование в атаке инструментов, которые уже есть в системе жертвы. Мы поделимся тем, как мы этот класс атак встречали в реальных кейсах, какие процедуры и техники выявляли, и расскажем, как их можно детектировать.
https://habr.com/ru/companies/jetinfosystems/articles/1032484/
#cybersecurity #cyberattack #lotl #lolbas #soc #siem #иб #кибербезопасность #кибербез #детектирование
-
«Легитимное зло» в инфраструктуре: практический опыт детектирования LOLBAS
Привет, Хабр! Меня зовут Максим Кишмерешкин, я ведущий аналитик центра мониторинга и реагирования «Инфосистемы Джет». Сегодня мы поговорим про довольно старую, но до сих пор остающуюся популярной тему — LOTL. Напомню, что LOTL (living on the land), или как я его называю «жизнь на подножном корме» — это использование в атаке инструментов, которые уже есть в системе жертвы. Мы поделимся тем, как мы этот класс атак встречали в реальных кейсах, какие процедуры и техники выявляли, и расскажем, как их можно детектировать.
https://habr.com/ru/companies/jetinfosystems/articles/1032484/
#cybersecurity #cyberattack #lotl #lolbas #soc #siem #иб #кибербезопасность #кибербез #детектирование
-
«Легитимное зло» в инфраструктуре: практический опыт детектирования LOLBAS
Привет, Хабр! Меня зовут Максим Кишмерешкин, я ведущий аналитик центра мониторинга и реагирования «Инфосистемы Джет». Сегодня мы поговорим про довольно старую, но до сих пор остающуюся популярной тему — LOTL. Напомню, что LOTL (living on the land), или как я его называю «жизнь на подножном корме» — это использование в атаке инструментов, которые уже есть в системе жертвы. Мы поделимся тем, как мы этот класс атак встречали в реальных кейсах, какие процедуры и техники выявляли, и расскажем, как их можно детектировать.
https://habr.com/ru/companies/jetinfosystems/articles/1032484/
#cybersecurity #cyberattack #lotl #lolbas #soc #siem #иб #кибербезопасность #кибербез #детектирование
-
«Легитимное зло» в инфраструктуре: практический опыт детектирования LOLBAS
Привет, Хабр! Меня зовут Максим Кишмерешкин, я ведущий аналитик центра мониторинга и реагирования «Инфосистемы Джет». Сегодня мы поговорим про довольно старую, но до сих пор остающуюся популярной тему — LOTL. Напомню, что LOTL (living on the land), или как я его называю «жизнь на подножном корме» — это использование в атаке инструментов, которые уже есть в системе жертвы. Мы поделимся тем, как мы этот класс атак встречали в реальных кейсах, какие процедуры и техники выявляли, и расскажем, как их можно детектировать.
https://habr.com/ru/companies/jetinfosystems/articles/1032484/
#cybersecurity #cyberattack #lotl #lolbas #soc #siem #иб #кибербезопасность #кибербез #детектирование
-
ClickFix evolves: instead of PowerShell, attackers now leverage Cmdkey for credential harvesting and Regsvr32 for remote payload execution. Familiar Living-off-the-Land tricks, fresh combination. 🔍
The beauty of LotL attacks is that the weapons are already in the house. Detection has to be smarter than prevention here. #infosec #LOLBAS #threatintel
https://gbhackers.com/clickfix-attack-swaps-powershell/ -
10 популярных техник обхода EDR
Алексей Баландин, Security Vision На сегодняшний день невозможно представить защиту конечных точек без системы EDR, которая, в отличие от устаревшего антивируса, основана в первую очередь на поведенческом анализе происходящих в системе событий. Потребность в этой системе резко возросла за последние 10 лет в связи с тем, что угрозы совершенствуются из года в год. Давно стало очевидно, что эффективно противостоять атакующим можно не столько за счет статического анализа кода, сигнатурного метода, сколько за счет изучения, анализа и блокировки их поведенческих паттернов, используемых тактик, техник и процедур. Этим и занимается класс продуктов EDR и активно развивается за счет постоянного пополнения базы знаний о новых методах атак. Обратной стороной медали является то, что атакующие не стоят на месте и разрабатывают все новые способы обхода и противодействия EDR. Далее рассмотрим техники обхода EDR, которые были наиболее популярны у атакующих за последние 5 лет.
https://habr.com/ru/companies/securityvison/articles/973172/
-
10 популярных техник обхода EDR
Алексей Баландин, Security Vision На сегодняшний день невозможно представить защиту конечных точек без системы EDR, которая, в отличие от устаревшего антивируса, основана в первую очередь на поведенческом анализе происходящих в системе событий. Потребность в этой системе резко возросла за последние 10 лет в связи с тем, что угрозы совершенствуются из года в год. Давно стало очевидно, что эффективно противостоять атакующим можно не столько за счет статического анализа кода, сигнатурного метода, сколько за счет изучения, анализа и блокировки их поведенческих паттернов, используемых тактик, техник и процедур. Этим и занимается класс продуктов EDR и активно развивается за счет постоянного пополнения базы знаний о новых методах атак. Обратной стороной медали является то, что атакующие не стоят на месте и разрабатывают все новые способы обхода и противодействия EDR. Далее рассмотрим техники обхода EDR, которые были наиболее популярны у атакующих за последние 5 лет.
https://habr.com/ru/companies/securityvison/articles/973172/
-
10 популярных техник обхода EDR
Алексей Баландин, Security Vision На сегодняшний день невозможно представить защиту конечных точек без системы EDR, которая, в отличие от устаревшего антивируса, основана в первую очередь на поведенческом анализе происходящих в системе событий. Потребность в этой системе резко возросла за последние 10 лет в связи с тем, что угрозы совершенствуются из года в год. Давно стало очевидно, что эффективно противостоять атакующим можно не столько за счет статического анализа кода, сигнатурного метода, сколько за счет изучения, анализа и блокировки их поведенческих паттернов, используемых тактик, техник и процедур. Этим и занимается класс продуктов EDR и активно развивается за счет постоянного пополнения базы знаний о новых методах атак. Обратной стороной медали является то, что атакующие не стоят на месте и разрабатывают все новые способы обхода и противодействия EDR. Далее рассмотрим техники обхода EDR, которые были наиболее популярны у атакующих за последние 5 лет.
https://habr.com/ru/companies/securityvison/articles/973172/
-
10 популярных техник обхода EDR
Алексей Баландин, Security Vision На сегодняшний день невозможно представить защиту конечных точек без системы EDR, которая, в отличие от устаревшего антивируса, основана в первую очередь на поведенческом анализе происходящих в системе событий. Потребность в этой системе резко возросла за последние 10 лет в связи с тем, что угрозы совершенствуются из года в год. Давно стало очевидно, что эффективно противостоять атакующим можно не столько за счет статического анализа кода, сигнатурного метода, сколько за счет изучения, анализа и блокировки их поведенческих паттернов, используемых тактик, техник и процедур. Этим и занимается класс продуктов EDR и активно развивается за счет постоянного пополнения базы знаний о новых методах атак. Обратной стороной медали является то, что атакующие не стоят на месте и разрабатывают все новые способы обхода и противодействия EDR. Далее рассмотрим техники обхода EDR, которые были наиболее популярны у атакующих за последние 5 лет.
https://habr.com/ru/companies/securityvison/articles/973172/
-
Семейство Living off the Land: как обнаруживать и митигировать
Данная статья посвящена обзору целого класса способов и техник атак, направленных на маскирование своей активности и обход имеющихся механизмов защиты и обнаружения. Этот класс техник атак достаточно стар и носит название Living Off the Land, он активно используется злоумышленниками на протяжении последних нескольких десятилетий — сейчас практически ни одна APT атака не обходится без использования данных техник. Они завоевали огромную популярность среди злоумышленников в первую очередь ввиду того, что в силу своей природы позволяют им оставаться ниже радара SOC, маскируясь под легитимные системные события. Эти техники подразумевают использование имеющихся механизмов ОС и доверенных, не вызывающих подозрения инструментов, для скрытного выполнения кода, горизонтального перемещения, удаленного контроля, сбора данных, повышения привилегий и т.д. Также в статье будут рассмотрены способы обнаружения и противодействия данному классу техник атак.
https://habr.com/ru/companies/securityvison/articles/954698/
#информационная_безопасность #lolbas #gtfobins #living_off_the_land #edr
-
Семейство Living off the Land: как обнаруживать и митигировать
Данная статья посвящена обзору целого класса способов и техник атак, направленных на маскирование своей активности и обход имеющихся механизмов защиты и обнаружения. Этот класс техник атак достаточно стар и носит название Living Off the Land, он активно используется злоумышленниками на протяжении последних нескольких десятилетий — сейчас практически ни одна APT атака не обходится без использования данных техник. Они завоевали огромную популярность среди злоумышленников в первую очередь ввиду того, что в силу своей природы позволяют им оставаться ниже радара SOC, маскируясь под легитимные системные события. Эти техники подразумевают использование имеющихся механизмов ОС и доверенных, не вызывающих подозрения инструментов, для скрытного выполнения кода, горизонтального перемещения, удаленного контроля, сбора данных, повышения привилегий и т.д. Также в статье будут рассмотрены способы обнаружения и противодействия данному классу техник атак.
https://habr.com/ru/companies/securityvison/articles/954698/
#информационная_безопасность #lolbas #gtfobins #living_off_the_land #edr
-
Семейство Living off the Land: как обнаруживать и митигировать
Данная статья посвящена обзору целого класса способов и техник атак, направленных на маскирование своей активности и обход имеющихся механизмов защиты и обнаружения. Этот класс техник атак достаточно стар и носит название Living Off the Land, он активно используется злоумышленниками на протяжении последних нескольких десятилетий — сейчас практически ни одна APT атака не обходится без использования данных техник. Они завоевали огромную популярность среди злоумышленников в первую очередь ввиду того, что в силу своей природы позволяют им оставаться ниже радара SOC, маскируясь под легитимные системные события. Эти техники подразумевают использование имеющихся механизмов ОС и доверенных, не вызывающих подозрения инструментов, для скрытного выполнения кода, горизонтального перемещения, удаленного контроля, сбора данных, повышения привилегий и т.д. Также в статье будут рассмотрены способы обнаружения и противодействия данному классу техник атак.
https://habr.com/ru/companies/securityvison/articles/954698/
#информационная_безопасность #lolbas #gtfobins #living_off_the_land #edr
-
Семейство Living off the Land: как обнаруживать и митигировать
Данная статья посвящена обзору целого класса способов и техник атак, направленных на маскирование своей активности и обход имеющихся механизмов защиты и обнаружения. Этот класс техник атак достаточно стар и носит название Living Off the Land, он активно используется злоумышленниками на протяжении последних нескольких десятилетий — сейчас практически ни одна APT атака не обходится без использования данных техник. Они завоевали огромную популярность среди злоумышленников в первую очередь ввиду того, что в силу своей природы позволяют им оставаться ниже радара SOC, маскируясь под легитимные системные события. Эти техники подразумевают использование имеющихся механизмов ОС и доверенных, не вызывающих подозрения инструментов, для скрытного выполнения кода, горизонтального перемещения, удаленного контроля, сбора данных, повышения привилегий и т.д. Также в статье будут рассмотрены способы обнаружения и противодействия данному классу техник атак.
https://habr.com/ru/companies/securityvison/articles/954698/
#информационная_безопасность #lolbas #gtfobins #living_off_the_land #edr
-
🔍 Detection Method
===================🛠️ Tool
Opening: LOLBASline is a PowerShell module designed to baseline Windows endpoints for Living Off The Land Binaries and Scripts (LOLBAS). The tool enumerates entries from the official LOLBAS YAML dataset, verifies binary presence, and attempts representative command executions to assess whether those binaries can be used for agentless or fileless TTPs.
Key Features:
• Repository handling: Auto-clones the LOLBAS project when no local path is supplied, parsing YAML definitions for metadata and execution examples.
• Presence verification: Confirms file system presence and common install paths for listed binaries and scripts.
• Execution capability tests: Attempts safe, representative commands configured in the YAML to validate whether an observable execution path exists.
• Reporting: Produces a structured CSV containing detected items, execution success/failure, timestamps, and YAML-sourced metadata for downstream analysis.Use Cases:
• Rapid endpoint assessment in lab and red-team environments to enumerate potential living-off-the-land opportunities.
• Creating an inventory of allowed vs. risky binaries for defensive teams and baselining for detection tuning.Strengths & Considerations:
• Strengths include automation of YAML parsing, consolidated reporting, and an explicit focus on execution capability rather than mere presence.
• Considerations include operational risk: the execution tests are intentionally active and may trigger EDR, SIEM alerts, or unintended side effects. The README warns explicitly against running on production systems.Detection & Defensive Value:
• Output CSV can be ingested into asset databases or SIEMs to correlate detected LOLBAS items with telemetry and to prioritize detection rules for high-risk executables.Limitations:
• The tool relies on YAML examples that may not cover all execution vectors or contextual privilege constraints; a successful representative command does not prove full exploitability in all contexts.
• False positives/negatives are possible depending on path variations, aliasing, and environment-specific restrictions.🔹 tool #LOLBAS #PowerShell #Windows #baseline
-
🔍 Detection Method
===================🛠️ Tool
Opening: LOLBASline is a PowerShell module designed to baseline Windows endpoints for Living Off The Land Binaries and Scripts (LOLBAS). The tool enumerates entries from the official LOLBAS YAML dataset, verifies binary presence, and attempts representative command executions to assess whether those binaries can be used for agentless or fileless TTPs.
Key Features:
• Repository handling: Auto-clones the LOLBAS project when no local path is supplied, parsing YAML definitions for metadata and execution examples.
• Presence verification: Confirms file system presence and common install paths for listed binaries and scripts.
• Execution capability tests: Attempts safe, representative commands configured in the YAML to validate whether an observable execution path exists.
• Reporting: Produces a structured CSV containing detected items, execution success/failure, timestamps, and YAML-sourced metadata for downstream analysis.Use Cases:
• Rapid endpoint assessment in lab and red-team environments to enumerate potential living-off-the-land opportunities.
• Creating an inventory of allowed vs. risky binaries for defensive teams and baselining for detection tuning.Strengths & Considerations:
• Strengths include automation of YAML parsing, consolidated reporting, and an explicit focus on execution capability rather than mere presence.
• Considerations include operational risk: the execution tests are intentionally active and may trigger EDR, SIEM alerts, or unintended side effects. The README warns explicitly against running on production systems.Detection & Defensive Value:
• Output CSV can be ingested into asset databases or SIEMs to correlate detected LOLBAS items with telemetry and to prioritize detection rules for high-risk executables.Limitations:
• The tool relies on YAML examples that may not cover all execution vectors or contextual privilege constraints; a successful representative command does not prove full exploitability in all contexts.
• False positives/negatives are possible depending on path variations, aliasing, and environment-specific restrictions.🔹 tool #LOLBAS #PowerShell #Windows #baseline
-
🔍 Detection Method
===================🛠️ Tool
Opening: LOLBASline is a PowerShell module designed to baseline Windows endpoints for Living Off The Land Binaries and Scripts (LOLBAS). The tool enumerates entries from the official LOLBAS YAML dataset, verifies binary presence, and attempts representative command executions to assess whether those binaries can be used for agentless or fileless TTPs.
Key Features:
• Repository handling: Auto-clones the LOLBAS project when no local path is supplied, parsing YAML definitions for metadata and execution examples.
• Presence verification: Confirms file system presence and common install paths for listed binaries and scripts.
• Execution capability tests: Attempts safe, representative commands configured in the YAML to validate whether an observable execution path exists.
• Reporting: Produces a structured CSV containing detected items, execution success/failure, timestamps, and YAML-sourced metadata for downstream analysis.Use Cases:
• Rapid endpoint assessment in lab and red-team environments to enumerate potential living-off-the-land opportunities.
• Creating an inventory of allowed vs. risky binaries for defensive teams and baselining for detection tuning.Strengths & Considerations:
• Strengths include automation of YAML parsing, consolidated reporting, and an explicit focus on execution capability rather than mere presence.
• Considerations include operational risk: the execution tests are intentionally active and may trigger EDR, SIEM alerts, or unintended side effects. The README warns explicitly against running on production systems.Detection & Defensive Value:
• Output CSV can be ingested into asset databases or SIEMs to correlate detected LOLBAS items with telemetry and to prioritize detection rules for high-risk executables.Limitations:
• The tool relies on YAML examples that may not cover all execution vectors or contextual privilege constraints; a successful representative command does not prove full exploitability in all contexts.
• False positives/negatives are possible depending on path variations, aliasing, and environment-specific restrictions.🔹 tool #LOLBAS #PowerShell #Windows #baseline
-
🔍 Detection Method
===================🛠️ Tool
Opening: LOLBASline is a PowerShell module designed to baseline Windows endpoints for Living Off The Land Binaries and Scripts (LOLBAS). The tool enumerates entries from the official LOLBAS YAML dataset, verifies binary presence, and attempts representative command executions to assess whether those binaries can be used for agentless or fileless TTPs.
Key Features:
• Repository handling: Auto-clones the LOLBAS project when no local path is supplied, parsing YAML definitions for metadata and execution examples.
• Presence verification: Confirms file system presence and common install paths for listed binaries and scripts.
• Execution capability tests: Attempts safe, representative commands configured in the YAML to validate whether an observable execution path exists.
• Reporting: Produces a structured CSV containing detected items, execution success/failure, timestamps, and YAML-sourced metadata for downstream analysis.Use Cases:
• Rapid endpoint assessment in lab and red-team environments to enumerate potential living-off-the-land opportunities.
• Creating an inventory of allowed vs. risky binaries for defensive teams and baselining for detection tuning.Strengths & Considerations:
• Strengths include automation of YAML parsing, consolidated reporting, and an explicit focus on execution capability rather than mere presence.
• Considerations include operational risk: the execution tests are intentionally active and may trigger EDR, SIEM alerts, or unintended side effects. The README warns explicitly against running on production systems.Detection & Defensive Value:
• Output CSV can be ingested into asset databases or SIEMs to correlate detected LOLBAS items with telemetry and to prioritize detection rules for high-risk executables.Limitations:
• The tool relies on YAML examples that may not cover all execution vectors or contextual privilege constraints; a successful representative command does not prove full exploitability in all contexts.
• False positives/negatives are possible depending on path variations, aliasing, and environment-specific restrictions.🔹 tool #LOLBAS #PowerShell #Windows #baseline
-
Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.
So... I made one: https://github.com/danzek/awesome-lol-commonly-abused
Contributions welcome, whether by replying to this post or sending a PR on GitHub.
-
Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.
So... I made one: https://github.com/danzek/awesome-lol-commonly-abused
Contributions welcome, whether by replying to this post or sending a PR on GitHub.
-
Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.
So... I made one: https://github.com/danzek/awesome-lol-commonly-abused
Contributions welcome, whether by replying to this post or sending a PR on GitHub.
-
Unexplored LOLBAS Technique: Wevtutil.exe: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
-
Unexplored LOLBAS Technique: Wevtutil.exe: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
-
Unexplored LOLBAS Technique: Wevtutil.exe: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
-
Unexplored LOLBAS Technique: Wevtutil.exe: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
-
Unexplored LOLBAS Technique: Wevtutil.exe: https://denwp.com/unexplored-lolbas-technique-wevtutil-exe/
-
Hackers Exploited Windows Event Logging Tool To Steal Data Secretly https://cybersecuritynews.com/hackers-exploited-windows-event-logs-tool/ #ComputerSecurityNews #EventLogManipulation #NetworkSecurityNews #CyberSecurityNews #cybersecuritynews #CyberThreatNews #Wevtutil #LOLBAS
-
Hackers Exploited Windows Event Logging Tool To Steal Data Secretly https://cybersecuritynews.com/hackers-exploited-windows-event-logs-tool/ #ComputerSecurityNews #EventLogManipulation #NetworkSecurityNews #CyberSecurityNews #cybersecuritynews #CyberThreatNews #Wevtutil #LOLBAS
-
Hackers Exploited Windows Event Logging Tool To Steal Data Secretly https://cybersecuritynews.com/hackers-exploited-windows-event-logs-tool/ #ComputerSecurityNews #EventLogManipulation #NetworkSecurityNews #CyberSecurityNews #cybersecuritynews #CyberThreatNews #Wevtutil #LOLBAS
-
Walk through a customer incident with me!
What happens when attackers can SEO their fake application to the first page of search results, alerts fire along the way, and you have a customer and secops team that are top notch!
https://www.blumira.com/masked-application-attack-incident-report/
#incidentresponse #malware #dfir #smbsecurity #lolbas #bankingindustry #creditunions
-
Walk through a customer incident with me!
What happens when attackers can SEO their fake application to the first page of search results, alerts fire along the way, and you have a customer and secops team that are top notch!
https://www.blumira.com/masked-application-attack-incident-report/
#incidentresponse #malware #dfir #smbsecurity #lolbas #bankingindustry #creditunions
-
Walk through a customer incident with me!
What happens when attackers can SEO their fake application to the first page of search results, alerts fire along the way, and you have a customer and secops team that are top notch!
https://www.blumira.com/masked-application-attack-incident-report/
#incidentresponse #malware #dfir #smbsecurity #lolbas #bankingindustry #creditunions
-
Walk through a customer incident with me!
What happens when attackers can SEO their fake application to the first page of search results, alerts fire along the way, and you have a customer and secops team that are top notch!
https://www.blumira.com/masked-application-attack-incident-report/
#incidentresponse #malware #dfir #smbsecurity #lolbas #bankingindustry #creditunions
-
Walk through a customer incident with me!
What happens when attackers can SEO their fake application to the first page of search results, alerts fire along the way, and you have a customer and secops team that are top notch!
https://www.blumira.com/masked-application-attack-incident-report/
#incidentresponse #malware #dfir #smbsecurity #lolbas #bankingindustry #creditunions
-
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found
https://www.huntress.com/blog/cant-touch-this-data-exfiltration-via-finger
#DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
@keydet89 -
"🔍 Researchers Uncover 12 New LOLBAS Binaries Used by Attackers 🕵️♂️"
Hackers are increasingly using LOLBAS (Living-Off-the-Land Binaries-And-Scripts) to exploit legitimate tools and hide illicit actions. As LOLBAS gains traction, experts are seeking new detection methods. Stay vigilant! 💻🔒
Researchers Discover 12 New LOLBAS Binaries Used by Attackers
Introduction
Living-Off-the-Land Binaries And Scripts (LOLBAS) is a popular methodology used by threat actors to exploit legitimate tools for hiding their illicit actions. As LOLBAS gains traction rapidly in cyber attacks, experts are actively seeking new methods to detect unknown malicious binaries for better defense mechanisms.New LOLBAS Binaries Discovered
Cybersecurity researchers at Pentera Labs recently discovered new LOLBAS binaries that are actively used by threat actors to deploy malware. Over 3000 Windows binaries pose the LOLBAS discovery challenge. Even with the automation approach, researchers found 12 new files in 4 weeks, marking a 30% rise in known downloaders and executors.LOLBAS: An Evergreen Type of Cyber Attack
LOLBAS has been a known concept in the cybersecurity landscape for some time now. However, it continues to gain its pace as one of the most dominant trends in cyber-attacks. It is important to understand how hackers are constantly seeking to exploit the legitimate tools within your systems and then turn them against you for their illicit purposes. Due to its exceptional capability to evade detection, LOLBAS remains a significant concern in cyber attacks. What makes it so powerful is its adeptness at utilizing pre-installed legit system tools to execute malicious actions.Detection of Binaries
The automated solution generates the download attempt, lists binaries, and then it triggers the downloader via a simple HTTP command structure with two parts:The path of the potential downloader
A URL to download the file from
The second part involves an HTTP server for receiving feedback on download attempts, with log records indicating file download attempts. This automated method revealed 6 additional downloaders, leading to a 30% boost in the LOLBAS list with a total of 9 discoveries.In this scenario, a hacker will deploy the LOLBAS downloader to acquire powerful malware and then execute it stealthily using LOLBAS executors, disguising it as legitimate processes.
The complete process could be automated via two tools:
IDApython: It finds API call cross-references and decompiles.
ChatGPT: It assists in analyzing function arguments’ connections for a solid POC.
The proposed static approach surpasses the dynamic analysis by focusing on low-level details of the code like automating reverse engineering for deeper code insights, revealing structure, behavior, and potential issues. This complete analysis offers a proactive defense roadmap, empowering security pros to predict and prevent evolving cyber threats.Conclusion
The discovery of new LOLBAS binaries and the development of automated methods for their detection underscore the evolving nature of cyber threats. As hackers continue to exploit legitimate tools for illicit purposes, the need for proactive and robust defense mechanisms becomes increasingly critical. By leveraging tools like IDApython and ChatGPT, and focusing on low-level details of the code, security professionals can gain deeper insights into potential threats and devise strategies to predict and prevent them.Source: Cybersecurity News
-
"🔍 Researchers Uncover 12 New LOLBAS Binaries Used by Attackers 🕵️♂️"
Hackers are increasingly using LOLBAS (Living-Off-the-Land Binaries-And-Scripts) to exploit legitimate tools and hide illicit actions. As LOLBAS gains traction, experts are seeking new detection methods. Stay vigilant! 💻🔒
Researchers Discover 12 New LOLBAS Binaries Used by Attackers
Introduction
Living-Off-the-Land Binaries And Scripts (LOLBAS) is a popular methodology used by threat actors to exploit legitimate tools for hiding their illicit actions. As LOLBAS gains traction rapidly in cyber attacks, experts are actively seeking new methods to detect unknown malicious binaries for better defense mechanisms.New LOLBAS Binaries Discovered
Cybersecurity researchers at Pentera Labs recently discovered new LOLBAS binaries that are actively used by threat actors to deploy malware. Over 3000 Windows binaries pose the LOLBAS discovery challenge. Even with the automation approach, researchers found 12 new files in 4 weeks, marking a 30% rise in known downloaders and executors.LOLBAS: An Evergreen Type of Cyber Attack
LOLBAS has been a known concept in the cybersecurity landscape for some time now. However, it continues to gain its pace as one of the most dominant trends in cyber-attacks. It is important to understand how hackers are constantly seeking to exploit the legitimate tools within your systems and then turn them against you for their illicit purposes. Due to its exceptional capability to evade detection, LOLBAS remains a significant concern in cyber attacks. What makes it so powerful is its adeptness at utilizing pre-installed legit system tools to execute malicious actions.Detection of Binaries
The automated solution generates the download attempt, lists binaries, and then it triggers the downloader via a simple HTTP command structure with two parts:The path of the potential downloader
A URL to download the file from
The second part involves an HTTP server for receiving feedback on download attempts, with log records indicating file download attempts. This automated method revealed 6 additional downloaders, leading to a 30% boost in the LOLBAS list with a total of 9 discoveries.In this scenario, a hacker will deploy the LOLBAS downloader to acquire powerful malware and then execute it stealthily using LOLBAS executors, disguising it as legitimate processes.
The complete process could be automated via two tools:
IDApython: It finds API call cross-references and decompiles.
ChatGPT: It assists in analyzing function arguments’ connections for a solid POC.
The proposed static approach surpasses the dynamic analysis by focusing on low-level details of the code like automating reverse engineering for deeper code insights, revealing structure, behavior, and potential issues. This complete analysis offers a proactive defense roadmap, empowering security pros to predict and prevent evolving cyber threats.Conclusion
The discovery of new LOLBAS binaries and the development of automated methods for their detection underscore the evolving nature of cyber threats. As hackers continue to exploit legitimate tools for illicit purposes, the need for proactive and robust defense mechanisms becomes increasingly critical. By leveraging tools like IDApython and ChatGPT, and focusing on low-level details of the code, security professionals can gain deeper insights into potential threats and devise strategies to predict and prevent them.Source: Cybersecurity News
-
"🔍 Researchers Uncover 12 New LOLBAS Binaries Used by Attackers 🕵️♂️"
Hackers are increasingly using LOLBAS (Living-Off-the-Land Binaries-And-Scripts) to exploit legitimate tools and hide illicit actions. As LOLBAS gains traction, experts are seeking new detection methods. Stay vigilant! 💻🔒
Researchers Discover 12 New LOLBAS Binaries Used by Attackers
Introduction
Living-Off-the-Land Binaries And Scripts (LOLBAS) is a popular methodology used by threat actors to exploit legitimate tools for hiding their illicit actions. As LOLBAS gains traction rapidly in cyber attacks, experts are actively seeking new methods to detect unknown malicious binaries for better defense mechanisms.New LOLBAS Binaries Discovered
Cybersecurity researchers at Pentera Labs recently discovered new LOLBAS binaries that are actively used by threat actors to deploy malware. Over 3000 Windows binaries pose the LOLBAS discovery challenge. Even with the automation approach, researchers found 12 new files in 4 weeks, marking a 30% rise in known downloaders and executors.LOLBAS: An Evergreen Type of Cyber Attack
LOLBAS has been a known concept in the cybersecurity landscape for some time now. However, it continues to gain its pace as one of the most dominant trends in cyber-attacks. It is important to understand how hackers are constantly seeking to exploit the legitimate tools within your systems and then turn them against you for their illicit purposes. Due to its exceptional capability to evade detection, LOLBAS remains a significant concern in cyber attacks. What makes it so powerful is its adeptness at utilizing pre-installed legit system tools to execute malicious actions.Detection of Binaries
The automated solution generates the download attempt, lists binaries, and then it triggers the downloader via a simple HTTP command structure with two parts:The path of the potential downloader
A URL to download the file from
The second part involves an HTTP server for receiving feedback on download attempts, with log records indicating file download attempts. This automated method revealed 6 additional downloaders, leading to a 30% boost in the LOLBAS list with a total of 9 discoveries.In this scenario, a hacker will deploy the LOLBAS downloader to acquire powerful malware and then execute it stealthily using LOLBAS executors, disguising it as legitimate processes.
The complete process could be automated via two tools:
IDApython: It finds API call cross-references and decompiles.
ChatGPT: It assists in analyzing function arguments’ connections for a solid POC.
The proposed static approach surpasses the dynamic analysis by focusing on low-level details of the code like automating reverse engineering for deeper code insights, revealing structure, behavior, and potential issues. This complete analysis offers a proactive defense roadmap, empowering security pros to predict and prevent evolving cyber threats.Conclusion
The discovery of new LOLBAS binaries and the development of automated methods for their detection underscore the evolving nature of cyber threats. As hackers continue to exploit legitimate tools for illicit purposes, the need for proactive and robust defense mechanisms becomes increasingly critical. By leveraging tools like IDApython and ChatGPT, and focusing on low-level details of the code, security professionals can gain deeper insights into potential threats and devise strategies to predict and prevent them.Source: Cybersecurity News
-
"🔍 Researchers Uncover 12 New LOLBAS Binaries Used by Attackers 🕵️♂️"
Hackers are increasingly using LOLBAS (Living-Off-the-Land Binaries-And-Scripts) to exploit legitimate tools and hide illicit actions. As LOLBAS gains traction, experts are seeking new detection methods. Stay vigilant! 💻🔒
Researchers Discover 12 New LOLBAS Binaries Used by Attackers
Introduction
Living-Off-the-Land Binaries And Scripts (LOLBAS) is a popular methodology used by threat actors to exploit legitimate tools for hiding their illicit actions. As LOLBAS gains traction rapidly in cyber attacks, experts are actively seeking new methods to detect unknown malicious binaries for better defense mechanisms.New LOLBAS Binaries Discovered
Cybersecurity researchers at Pentera Labs recently discovered new LOLBAS binaries that are actively used by threat actors to deploy malware. Over 3000 Windows binaries pose the LOLBAS discovery challenge. Even with the automation approach, researchers found 12 new files in 4 weeks, marking a 30% rise in known downloaders and executors.LOLBAS: An Evergreen Type of Cyber Attack
LOLBAS has been a known concept in the cybersecurity landscape for some time now. However, it continues to gain its pace as one of the most dominant trends in cyber-attacks. It is important to understand how hackers are constantly seeking to exploit the legitimate tools within your systems and then turn them against you for their illicit purposes. Due to its exceptional capability to evade detection, LOLBAS remains a significant concern in cyber attacks. What makes it so powerful is its adeptness at utilizing pre-installed legit system tools to execute malicious actions.Detection of Binaries
The automated solution generates the download attempt, lists binaries, and then it triggers the downloader via a simple HTTP command structure with two parts:The path of the potential downloader
A URL to download the file from
The second part involves an HTTP server for receiving feedback on download attempts, with log records indicating file download attempts. This automated method revealed 6 additional downloaders, leading to a 30% boost in the LOLBAS list with a total of 9 discoveries.In this scenario, a hacker will deploy the LOLBAS downloader to acquire powerful malware and then execute it stealthily using LOLBAS executors, disguising it as legitimate processes.
The complete process could be automated via two tools:
IDApython: It finds API call cross-references and decompiles.
ChatGPT: It assists in analyzing function arguments’ connections for a solid POC.
The proposed static approach surpasses the dynamic analysis by focusing on low-level details of the code like automating reverse engineering for deeper code insights, revealing structure, behavior, and potential issues. This complete analysis offers a proactive defense roadmap, empowering security pros to predict and prevent evolving cyber threats.Conclusion
The discovery of new LOLBAS binaries and the development of automated methods for their detection underscore the evolving nature of cyber threats. As hackers continue to exploit legitimate tools for illicit purposes, the need for proactive and robust defense mechanisms becomes increasingly critical. By leveraging tools like IDApython and ChatGPT, and focusing on low-level details of the code, security professionals can gain deeper insights into potential threats and devise strategies to predict and prevent them.Source: Cybersecurity News
-
"🔍 Researchers Uncover 12 New LOLBAS Binaries Used by Attackers 🕵️♂️"
Hackers are increasingly using LOLBAS (Living-Off-the-Land Binaries-And-Scripts) to exploit legitimate tools and hide illicit actions. As LOLBAS gains traction, experts are seeking new detection methods. Stay vigilant! 💻🔒
Researchers Discover 12 New LOLBAS Binaries Used by Attackers
Introduction
Living-Off-the-Land Binaries And Scripts (LOLBAS) is a popular methodology used by threat actors to exploit legitimate tools for hiding their illicit actions. As LOLBAS gains traction rapidly in cyber attacks, experts are actively seeking new methods to detect unknown malicious binaries for better defense mechanisms.New LOLBAS Binaries Discovered
Cybersecurity researchers at Pentera Labs recently discovered new LOLBAS binaries that are actively used by threat actors to deploy malware. Over 3000 Windows binaries pose the LOLBAS discovery challenge. Even with the automation approach, researchers found 12 new files in 4 weeks, marking a 30% rise in known downloaders and executors.LOLBAS: An Evergreen Type of Cyber Attack
LOLBAS has been a known concept in the cybersecurity landscape for some time now. However, it continues to gain its pace as one of the most dominant trends in cyber-attacks. It is important to understand how hackers are constantly seeking to exploit the legitimate tools within your systems and then turn them against you for their illicit purposes. Due to its exceptional capability to evade detection, LOLBAS remains a significant concern in cyber attacks. What makes it so powerful is its adeptness at utilizing pre-installed legit system tools to execute malicious actions.Detection of Binaries
The automated solution generates the download attempt, lists binaries, and then it triggers the downloader via a simple HTTP command structure with two parts:The path of the potential downloader
A URL to download the file from
The second part involves an HTTP server for receiving feedback on download attempts, with log records indicating file download attempts. This automated method revealed 6 additional downloaders, leading to a 30% boost in the LOLBAS list with a total of 9 discoveries.In this scenario, a hacker will deploy the LOLBAS downloader to acquire powerful malware and then execute it stealthily using LOLBAS executors, disguising it as legitimate processes.
The complete process could be automated via two tools:
IDApython: It finds API call cross-references and decompiles.
ChatGPT: It assists in analyzing function arguments’ connections for a solid POC.
The proposed static approach surpasses the dynamic analysis by focusing on low-level details of the code like automating reverse engineering for deeper code insights, revealing structure, behavior, and potential issues. This complete analysis offers a proactive defense roadmap, empowering security pros to predict and prevent evolving cyber threats.Conclusion
The discovery of new LOLBAS binaries and the development of automated methods for their detection underscore the evolving nature of cyber threats. As hackers continue to exploit legitimate tools for illicit purposes, the need for proactive and robust defense mechanisms becomes increasingly critical. By leveraging tools like IDApython and ChatGPT, and focusing on low-level details of the code, security professionals can gain deeper insights into potential threats and devise strategies to predict and prevent them.Source: Cybersecurity News
-
Hackers can abuse Microsoft Office executables to download #malware
#cybersecurity #lolbas
https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-office-executables-to-download-malware/ -
Hackers can abuse Microsoft Office executables to download #malware
#cybersecurity #lolbas
https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-office-executables-to-download-malware/ -
Operation #CMDStealer : Financially Motivated Campaign Leverages CMD-Scripts and #LOLBaS for Online #Banking Theft in #Portugal, #Peru, and #Mexico
https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico
-
Operation #CMDStealer : Financially Motivated Campaign Leverages CMD-Scripts and #LOLBaS for Online #Banking Theft in #Portugal, #Peru, and #Mexico
https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico
-
Operation #CMDStealer : Financially Motivated Campaign Leverages CMD-Scripts and #LOLBaS for Online #Banking Theft in #Portugal, #Peru, and #Mexico
https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico
-
Operation #CMDStealer : Financially Motivated Campaign Leverages CMD-Scripts and #LOLBaS for Online #Banking Theft in #Portugal, #Peru, and #Mexico
https://blogs.blackberry.com/en/2023/05/cmdstealer-targets-portugal-peru-and-mexico
-
#hack100days Day 14. Slacked a bit over the weekend. Read up on Powershell, its relationship w/C#/.Net. Found some references to using C# to run powershell. Looked at msbuild.exe. I had a tab open talking about 'psattack', but the links to the GitHub page resulted in a 404. It looks like one could write a wrapper in C# that can call PowerShell w/out going through powershell.exe. Seems interesting. (Doing this because I didn't have enough time to bang around in CRTO lab.) #RedTeam #LOLBAS #PowerShell