Identifying Quieter Attack Techniques

November 16, 2023

Over the years, the security scene has been characterized by a cat-and-mouse game between red teamers and blue teamers. Increasingly sophisticated attack techniques have led to an equally sophisticated response in terms of endpoint detection and response (EDR) systems, endpoint protection platforms (EPPs) and antivirus software.

 

Due to this evolution, red teamers need to step up their game to get the edge on the blue team, to match the sophistication of real-world adversaries and, in general, to stay relevant. They need to get quieter so they can get their activity to blend in with legitimate network traffic.

 

One ideal way to stay quiet is to use native binaries from within the operating system, also known as LOLBins (living off the land binaries). Red teamers can leverage some of the functionalities of these binaries, which are often trusted by known vendors. This blog post will further explain the significance of LOLBins attacks.

 

 

All About LOLBins

LOLBins derive from the idea of “living off the land,” which means compromising a system using only the tools from within the operating system itself. Applying this concept to their techniques, adversaries and red teamers can keep a low profile because they don’t install new tools or create new files that could leave a revealing audit trail. Instead, they can use these functionalities of native binaries beyond their intended use. When leveraging LOLBins binaries, adversaries can even execute attacks without escalating privileges to an administrator level.

 

 

The Challenge

Because they are difficult to detect or distinguish from legitimate network traffic, LOLBins pose a challenge to blue teamers. In fact, blue teamers don’t always actively monitor them, or they only track the most well-known ones. Unfortunately, Windows OS comes with a lot of native binaries, and they are not always documented. So, detecting a new LOLBin can be like finding a zero-day—at least for a while.

 

In an important effort to document and traffic new LOLBins, the security community is producing the LOLBAS project. By documenting both the discovered offensive capabilities and the related TTPs (Tactics, Techniques and Procedures), this project provides crucial reference material for red teamers and blue teamers. Using these references from the LOLBAS project and the MITRE ATT&CK framework, organizations can more deeply analyze any security gaps and provide a more thorough assessment of security solutions.

 

 

How LOLBins Change the Security Game

The concept behind LOLBins represents a dramatic shift in the security game. As seen in recent examples, APT (advanced persistent threats) and other malicious actors have been increasingly using native binaries to avoid detection and deliver malware and ransomware campaigns. If this opens interesting avenues for red teamers, then it also makes blue teamers’ jobs harder.

 

These industry shifts add more fodder to the argument that organizations should view security more as a mindset than a product. Security breaches can often happen because organizations overly rely on off-the-shelf solutions, thinking that such products might give them complete visibility into what happens within their network.

 

If organizations do not account for the possibility of attackers abusing LOLBins to achieve their goals and compromise their system, this creates blind spots in corporate networks that often allow attackers to go undetected for long amounts of time.

 

Because these native binaries are signed by known vendors and derive from within the operating system itself, LOLBins challenge traditional endpoint detection and response (EDR) solutions in terms of pure detection. This is because LOLBins are not associated with malware signatures, and they look legitimate. But more recently, most EDR solutions have started including behavioral factors (e.g., asking why someone in the accounting department needs the ability to RDP to the domain controller). In the effort to approach security with this zero-trust mindset, security practitioners should invest time and resources to research new potential LOLBins. Equipped with this information, security teams proactively implement appropriate defenses and monitoring capabilities accordingly.

 

 

Conclusions

Here are some key takeaways that you should keep in mind when it comes to LOLBins.

 

  • By using LOLBins, red teamers can keep a low profile and go undetected for longer.
  • Blue teamers need to stay abreast of the latest research on LOLBins to better thwart attacks.
  • Organizations should leverage the MITRE ATT&CK framework to learn about key adversary techniques involving LOLBins and subsequently enhance detection and monitoring capabilities. Recommended techniques to review include indirect command execution, ingress tool transfer and system binary proxy execution.
  • Security is a mindset and a process—not simply a product.
  • Organizations need to move toward a zero-trust mindset.
Mattia Campagnano
Consultant II | Optiv
Mattia Campagnano has over 16 years of experience in penetration testing and tech support environments. His experience ranges from small businesses to Fortune 500 corporations in a multitude of industries (healthcare, financial services, local/State government, software development, IT, etc.). His areas of expertise include red teaming/adversarial simulations, network penetration testing, web application penetration testing, spear phishing, vishing, vulnerability management, wireless and mobile application penetration testing assessments.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.