[This blog has been adapted from David’s recent
presentation at Fal.Con 2024 in Las Vegas]
The effectiveness of traditional malware-based attacks on organizations is declining as defensive security tools and strategies improve. As a result, bad actors are increasingly utilizing living off the land binaries (LOLBins) as ‘gray areas’ that can be exploited to evade detection.
However, a number of tools and approaches are available to organizations to minimize the threat presented by LOLBin abuse.
‘File sprawl’ a growing trend
Why are LOLBin attacks a trend today? Over the last decade, we have seen a lot of functionality added to major operating systems. For example, if you compare Microsoft Windows 10 long-term servicing branch (LTSB), released in 2015, against Windows 11 24H2, the latter contains almost 50% more files.
Of course, this is not a scientific comparison, and file counts do not directly equal features or functionality, but this does demonstrate a trend in operating system file and functionality proliferation. And with a number of new features set to be launched with Windows Server 2025, this trend is unlikely to change soon.
Unfortunately, in this context, value cuts both ways as additional functionality can provide further options for attackers. At Airlock Digital, we believe that keeping track of what is new and reducing functionality is one of the best ‘bang for buck’ strategies you can employ to reduce the attack surface of your endpoints.
Using behavior based detection to mitigate the threat of LOLBin abuse
This brings us to LOLBins and their potential for misuse by bad actors. Because these utilities enable features and functionality as well as malicious activity, security vendors cannot simply class them as ‘bad’ and remove them from customers’ endpoints.
Consequently, the industry has focused on behavior-based detection that aims to identify the misuse of functionality. This results in games of cat and mouse, where attackers will often ‘string together’ the use of numerous LOLBin techniques in an attempt to appear legitimate and avoid detection through their behaviors.
Attackers needing to go to these lengths is actually a measure of how good behavior-based detection has become. This complexity forces attackers to work harder and presents more opportunities for defenders to detect and prevent malicious intrusions.
Options and steps to minimize the LOLBin threat
The potential for LOLBin abuse within the most ubiquitous operating systems is well known. Windows features a number of utilities that attackers commonly abuse; for example WMIC, the WMI command-line utility used to make win32 API calls and Bitsadmin, used to create, download or upload files from external sources, are key targets. Again, because they are used for legitimate purposes, vendors cannot simply just block them.
However, organizations have something that security vendors do not: context. Each organization can determine whether it specifically requires these utilities and constrain or prevent their use accordingly.
In practical terms, the four capabilities needed to do this are:
If these capabilities exist, organizations can monitor and understand the usage of LOLBins. For example, if a Cisco soft phone system is utilizing WMIC, then organizations can note this usage and allow its behavior as ‘known good’. This process is refined until only the anomalous uses of these tools are left, allowing organizations to block this type of usage with exceptions added as required.
So what tools can be used to perform this?
Endpoint Detection and Response (EDR) tools can be used to monitor the usage of LOLBins, and, in some cases, scope and confine their use. Allowlisting solutions can also perform this functionality by enabling organizations to granularly choose what they trust, under what circumstances, and block everything else.
Why does this strategy require blocking?
So why do we have to take the approach of blocking, rather than deletion? Unfortunately, teams cannot simply delete files if they do not need them, as operating systems will typically add these utilities back in through updates.
There are a few other approaches that organizations can take to minimize the attack surface, including:
What resources are available to support organizations seeking to combat LOLBin attacks?
I have also found the following resources to be quite useful on this subject:
Or, best of all, Airlock Digital’s application control (allowlisting) solution provides the capabilities to block and scope LOLBins out of the box, through predefined blocklist packages. This makes it easy to allow what you need and block what you don’t.
We hope this provides a valuable viewpoint of the challenges presented by LOLBins and approaches you can take to proactively minimize their usage. Ultimately, context within each organization is critical. If you are interested in diving into this concept further I recommend taking a look at one of our previous blog posts, ‘Trust in File Based Security’.
For more information about Airlock Digital
and our solution schedule a demo below