LOLBAS in the Wild: 11 Living-Off-The-Land Binaries Used for Malicious Purposes


Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts (LOLBAS) that could be maliciously abused by threat actors to conduct post-exploitation activities.

“LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes,” Pentera security researcher Nir Chako said. “This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities.”

To that end, the Israeli cybersecurity company said it uncovered nine LOLBAS downloaders and three executors that could enable adversaries to download and execute “more robust malware” on infected hosts.

This includes: MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe.

Read more…