Hunting for LOLBins & Living Off The Land

If you're looking to learn how to hunt for LOLBins, look no further. In this intro guide we'll teach you how to easily search for the most commonly abused executables, all without a writing a line of code. Create a Gigasheet account here  (free) if you don't have one, and let's dive in.

Living-off-the-land binaries, also known as LOLBins, are executables that come installed as part of the Windows operating system by default. LOLBins make use of commonly accessible utilities and resources in an attempt to hide malicious behaviors as normal system activity. This is why LOLBins are frequently utilized by threat actors to stay under the radar. Attackers use LOLBins for downloading files or payloads, hijacking DLLs, process dumping, evading UAC keylogging, bypassing logging, code execution, and more.

Hunting for LOLBins in Windows Event Logs is an important activity for any security team. LOLBins typically have the following characteristics:

• LOLBins are hard to detect.
• LOLBins do not consume a lot of Windows system resources.  
• LOLBin executables do not require the creation, purchase, or downloads of any additional applications that are malicious.

In this blog we describe a few common LOLBins and discuss how they are used in the wild, and we'll show you how anyone can hunt for LOLBins using Gigasheet without writing a line of code.

The following executables are of interest, as they can be used to download or execute malicious code. These processes should be monitored, and their execution pattern should be under consistent observation (i.e., logging).

Common LOLBins

Hunting For LOLBins In Your Windows Logs

To get started simply upload EVTX or a Windows Sysmon logs to Gigasheet. After Gigasheet automatically parses the EVTX (or other log, csv, etc) we'll look for command lines that contain suspicious patterns.

In this example we'll look for "certutil.exe" which adversaries can use to covertly execute VB Scripts:

certutil -decode C:\ProgramData\googlelog.txt C:\ProgramData\edge.bat

Note: You can easily repeat these same steps to hunt for each executable listed.

We can simplify this to search for for the command line containing the common string “certutil” and “decode” in our Windows log we find the match below:

LOLBin certutil Search and Results

The certutil command in the above screenshot shows how crafty the LOLBin can be. Here it's used to evade detection by encoding the content in the text file in base64, which then will be decoded by certutil locally when it runs.

When hunting LOLBins it's important to determine is if they are parents to any suspicious sub-processes. Now we will look at some common uses for LOLBins in the past and how threat actors abused them.

Sodinokibi Ransomware

Sodinokibi ransomware (part of REvil) is a common ransomware that spreads by using the most common method of attack - phishing. While it spreads by other means, such as exploit kits targeting vulnerabilities in web frameworks such as WebLogic, phishing is by far the most common tactic.

Sodinokibi uses a PowerShell command to download an executable file from a host, save it locally, and execute it. In addition, it also uses cmd to invoke certutil and download yet another executable. Sodinokibi then uses cmd again to call one of the downloaded executable files, which in turn calls the vssadmin.exe utility. This is often used to delete volume shadow copies to prevent system recovery.

A common pattern we observe involving LOLBins and Sodinokibi is as below:

https://<domain>/<path1>/<path2>/<filename>.<ext>

Even though there might be few legitimate domains that might match the given pattern, it almost always points to a C2 server using LOLBin to execute.

Using Gigasheet we can easily look for commands that contain any “http” requests in the sysmon logs.

Once we filter for all http requests in the command line, we see http requests associated with the common LOLBins we listed above. These command lines executions look like abnormal results.

With this information, we can build a new filter to find these abnormal LOLBins, and then work to determine the intent of this download.

Search for common LOLBins

Results from our filter:

vssadmin.exe deletes shadow copies quietly

As we suspected, the results in the above screenshot confirm that cmd calls vssadmin.exe to delete the volume shadow copies quietly.

Wrapping Up

In these simple examples we've demonstrated how anyone can quickly hunt for LOLBin abuse in their Windows Sysmon logs using Gigasheet. It's important to remember that in reality, defending against abuse of LoLBins is not easy. It is especially difficult for security controls that do not monitor process behavior. SOCs relying solely on SIEM and EDR solutions is not enough, and we need to move to more active defenses. The best possible way to get ahead is to engage in proactive threat hunting with tools like Gigasheet.