home.social

#lolbins — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #lolbins, aggregated by home.social.

  1. CrashFix marks a notable escalation in ClickFix tradecraft.

    The campaign combines browser DoS, fake Chrome extensions, delayed execution, LOLBin abuse (finger.exe → ct.exe), and a portable Python environment to deploy a covert RAT only after identifying high-value systems.

    This is a strong case for:
    • Behavior-based detection
    • EDR in block mode
    • Restricting legacy utilities
    • User-focused threat modeling

    💬 Which detection layer would catch this earliest in your environment?

    Source: microsoft.com/en-us/security/b

    🔔 Follow @technadu for deep technical threat analysis

    #InfoSec #CrashFix #ClickFix #PythonMalware #LOLBins #EDR #ThreatHunting #DetectionEngineering #MicrosoftDefender #TechNadu

  2. CrashFix marks a notable escalation in ClickFix tradecraft.

    The campaign combines browser DoS, fake Chrome extensions, delayed execution, LOLBin abuse (finger.exe → ct.exe), and a portable Python environment to deploy a covert RAT only after identifying high-value systems.

    This is a strong case for:
    • Behavior-based detection
    • EDR in block mode
    • Restricting legacy utilities
    • User-focused threat modeling

    💬 Which detection layer would catch this earliest in your environment?

    Source: microsoft.com/en-us/security/b

    🔔 Follow @technadu for deep technical threat analysis

    #InfoSec #CrashFix #ClickFix #PythonMalware #LOLBins #EDR #ThreatHunting #DetectionEngineering #MicrosoftDefender #TechNadu

  3. CrashFix marks a notable escalation in ClickFix tradecraft.

    The campaign combines browser DoS, fake Chrome extensions, delayed execution, LOLBin abuse (finger.exe → ct.exe), and a portable Python environment to deploy a covert RAT only after identifying high-value systems.

    This is a strong case for:
    • Behavior-based detection
    • EDR in block mode
    • Restricting legacy utilities
    • User-focused threat modeling

    💬 Which detection layer would catch this earliest in your environment?

    Source: microsoft.com/en-us/security/b

    🔔 Follow @technadu for deep technical threat analysis

    #InfoSec #CrashFix #ClickFix #PythonMalware #LOLBins #EDR #ThreatHunting #DetectionEngineering #MicrosoftDefender #TechNadu

  4. CrashFix marks a notable escalation in ClickFix tradecraft.

    The campaign combines browser DoS, fake Chrome extensions, delayed execution, LOLBin abuse (finger.exe → ct.exe), and a portable Python environment to deploy a covert RAT only after identifying high-value systems.

    This is a strong case for:
    • Behavior-based detection
    • EDR in block mode
    • Restricting legacy utilities
    • User-focused threat modeling

    💬 Which detection layer would catch this earliest in your environment?

    Source: microsoft.com/en-us/security/b

    🔔 Follow @technadu for deep technical threat analysis

    #InfoSec #CrashFix #ClickFix #PythonMalware #LOLBins #EDR #ThreatHunting #DetectionEngineering #MicrosoftDefender #TechNadu

  5. 🦠 Malware Analysis
    ===================

    🦠 Malware Analysis

    Executive summary: A recently observed campaign leverages malicious
    Windows shortcut files (.LNK) distributed via Discord to deliver a
    multi‑functional Remote Access Trojan (RAT). The LNK triggers a hidden
    PowerShell that extracts a ZIP (Moq.zip) containing a malicious DLL
    and executes it through the legitimate binary odbcconf.exe, a
    Living‑off‑the‑Land Binary (LOLBin), to evade detection.

    Technical details:
    • The shortcut named Cyber security.lnk opens an embedded decoy PDF
    Cyber security.pdf while running a PowerShell payload in hidden mode
    (via a headless conhost.exe).
    • The PowerShell creates a working path (Temp and a Nuget folder under
    Public), extracts an embedded PDF and the ZIP archive, then drops
    Moq.zip and a malicious DLL.
    • Execution is handed to odbcconf.exe to load the DLL, enabling
    process execution without spawning visible consoles.
    • The RAT collects system/antivirus information, attempts AMSI
    bypasses, and patches EtwEventWrite to impair Windows Event Tracing
    (ETW).

    🔹 Attack Chain Analysis

    1. Initial Access (LNK): User opens Cyber security.lnk from Discord —
    triggers hidden PowerShell (MITRE: T1204.002).
    2. Download/Stage: PowerShell extracts embedded PDF and Moq.zip into
    Temp/Public\Nuget.
    3. Execution via LOLBin: odbcconf.exe is used to load the dropped DLL
    (MITRE: T1218 — System Binary Proxy Execution).
    4. Persistence/Control: Malicious DLL implements RAT behaviors,
    including remote commands and reconnaissance.
    5. Defense Evasion: AMSI bypass and EtwEventWrite patching (Impair
    Defenses) reduce telemetry and impede detection.

    Detection guidance:
    • Monitor process trees where odbcconf.exe is launched from atypical
    parents (PowerShell/conhost).
    • Alert on hidden PowerShell instances extracting embedded files and
    writing PDFs from LNK streams.
    • Watch for API patching attempts around EtwEventWrite and AMSI
    initialization failures.

    Mitigation:
    • Restrict execution of unsigned Office/shortcut attachments from
    untrusted channels.
    • Apply application control to prevent odbcconf.exe from loading untrusted DLLs.
    • Enable telemetry and harden AMSI where possible; monitor ETW integrity.

    References/Notes: Preliminary detections were reported from Israel;
    campaign observed distribution via Discord and use of decoy PDFs. #LNK
    #RAT #AMSI #ETW #LOLBins

    🔗 Source: labs.k7computing.com/index.php

  6. No PE header? No problem.

    @FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.

    You ever load a binary in IDA and think, “Am I being punk’d?”
    Yeah, it’s one of those samples.

    This sample:

    • Reconstructs its own PE structure at runtime

    • Hides config data in obfuscated blobs

    • Uses anti-sandbox tricks to avoid analysis

    • Drops yet another info-stealer, because originality is dead

    It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Static AV signatures won’t help here

    • Watch for suspicious memory allocations + hollowing patterns

    • Endpoint heuristics > file-based detection

    • Log your PowerShell and LOLBins — this thing probably brings friends

    • If your EDR cries when it sees raw shellcode, maybe give it a hug

    #ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam

  7. No PE header? No problem.

    @FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.

    You ever load a binary in IDA and think, “Am I being punk’d?”
    Yeah, it’s one of those samples.

    This sample:

    • Reconstructs its own PE structure at runtime

    • Hides config data in obfuscated blobs

    • Uses anti-sandbox tricks to avoid analysis

    • Drops yet another info-stealer, because originality is dead

    It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Static AV signatures won’t help here

    • Watch for suspicious memory allocations + hollowing patterns

    • Endpoint heuristics > file-based detection

    • Log your PowerShell and LOLBins — this thing probably brings friends

    • If your EDR cries when it sees raw shellcode, maybe give it a hug

    #ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam

  8. No PE header? No problem.

    @FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.

    You ever load a binary in IDA and think, “Am I being punk’d?”
    Yeah, it’s one of those samples.

    This sample:

    • Reconstructs its own PE structure at runtime

    • Hides config data in obfuscated blobs

    • Uses anti-sandbox tricks to avoid analysis

    • Drops yet another info-stealer, because originality is dead

    It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Static AV signatures won’t help here

    • Watch for suspicious memory allocations + hollowing patterns

    • Endpoint heuristics > file-based detection

    • Log your PowerShell and LOLBins — this thing probably brings friends

    • If your EDR cries when it sees raw shellcode, maybe give it a hug

    #ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam

  9. No PE header? No problem.

    @FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.

    You ever load a binary in IDA and think, “Am I being punk’d?”
    Yeah, it’s one of those samples.

    This sample:

    • Reconstructs its own PE structure at runtime

    • Hides config data in obfuscated blobs

    • Uses anti-sandbox tricks to avoid analysis

    • Drops yet another info-stealer, because originality is dead

    It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Static AV signatures won’t help here

    • Watch for suspicious memory allocations + hollowing patterns

    • Endpoint heuristics > file-based detection

    • Log your PowerShell and LOLBins — this thing probably brings friends

    • If your EDR cries when it sees raw shellcode, maybe give it a hug

    #ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam

  10. No PE header? No problem.

    @FortiGuardLabs dropped a deep dive into a malware sample dumped without a PE header — like a cybercriminal rage-quit halfway through packing their payload.

    You ever load a binary in IDA and think, “Am I being punk’d?”
    Yeah, it’s one of those samples.

    This sample:

    • Reconstructs its own PE structure at runtime

    • Hides config data in obfuscated blobs

    • Uses anti-sandbox tricks to avoid analysis

    • Drops yet another info-stealer, because originality is dead

    It’s engineered to break basic static analysis and dodge sandboxes like it’s speedrunning DEFCON CTF.

    🔗 Full breakdown:
    fortinet.com/blog/threat-resea

    TL;DR for blue teamers:

    • Static AV signatures won’t help here

    • Watch for suspicious memory allocations + hollowing patterns

    • Endpoint heuristics > file-based detection

    • Log your PowerShell and LOLBins — this thing probably brings friends

    • If your EDR cries when it sees raw shellcode, maybe give it a hug

    #ThreatIntel #MalwareAnalysis #ReverseEngineering #Infosec #PEFilesAreSo2020 #EDREvasion #LOLbins #CyberSecurity #BlueTeam

  11. Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.

    So... I made one: github.com/danzek/awesome-lol-

    Contributions welcome, whether by replying to this post or sending a PR on GitHub.

    #lolbins #lolbas

  12. Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.

    So... I made one: github.com/danzek/awesome-lol-

    Contributions welcome, whether by replying to this post or sending a PR on GitHub.

    #lolbins #lolbas

  13. Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.

    So... I made one: github.com/danzek/awesome-lol-

    Contributions welcome, whether by replying to this post or sending a PR on GitHub.

    #lolbins #lolbas

  14. Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found

    huntress.com/blog/cant-touch-t

    #DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
    @keydet89

  15. Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found

    huntress.com/blog/cant-touch-t

    #DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
    @keydet89

  16. Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found

    huntress.com/blog/cant-touch-t

    #DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
    @keydet89

  17. Did you know that the finger command can be used for data exfil? We recently had an incident where this type of activity was found

    huntress.com/blog/cant-touch-t

    #DFIR #lolbins #lolbas #exfil #mchammer #CTI #cybersecurity
    @keydet89