In the ever-evolving landscape of cybersecurity, new threats and vulnerabilities are constantly being discovered. One such threat that has gained significant attention in recent years is the concept of Living-off-the-Land Binaries and Scripts (LOLBAS). These are legitimate binaries and scripts present in Windows that can be abused for malicious purposes. The term may seem complex, but it essentially refers to the manipulation of legitimate system files to carry out nefarious activities.
What are LOLBAS?
LOLBAS are typically described as signed files that are either native to the Windows operating system or downloaded from Microsoft. They are legitimate tools that hackers can abuse during post-exploitation activity to download and/or run payloads without triggering defensive mechanisms. This makes them particularly dangerous, as they can operate under the radar, bypassing traditional security measures.
Even executables that are not signed by Microsoft serve purposes that are useful in attacks, such as reconnaissance. This means that attackers can use these files to gather information about the target system, further aiding their malicious activities.
The Growing List of LOLBAS
The LOLBAS project, an open-source initiative aimed at documenting these files, currently lists over 150 Windows-related binaries, libraries, and scripts that can help attackers execute or download malicious files or bypass lists of approved programs. This list is continually growing as researchers and cybersecurity professionals discover new potential LOLBAS.
Recently, security researcher Nir Chako set off to discover new LOLBAS files by looking at the executables in the Microsoft Office suite. This suite, which includes popular applications like Word, Excel, and PowerPoint, is widely used in both personal and professional settings, making it a prime target for attackers.
Chako tested all the executables in the Microsoft Office suite manually and found three – MsoHtmEd.exe, MSPub.exe, and ProtocolHandler.exe – that could be used as downloaders for third-party files, thus fitting the LOLBAS criteria. This discovery is significant, as it highlights the potential for even seemingly innocuous files to be used in malicious activities.
He shared a video that shows MsoHtmEd reaching the test HTTP server with a GET request, indicating an attempt to download a test file. This demonstrates the potential for these files to be used in real-world attacks, downloading malicious payloads onto unsuspecting users’ systems.
Automating the Discovery Process
Inspired by his initial success, Chako developed a script to automate the verification process and cover a larger pool of executables faster. This is a crucial step in the research process, as manually testing each file is time-consuming and inefficient.
Using this automated method, he managed to find six more downloaders. In total, he discovered 11 new files with download and execute functionalities that meet the principles of the LOLBAS project. This represents a significant expansion of the known LOLBAS, highlighting the ongoing threat posed by these files.
The New Additions to LOLBAS
Among the new additions to the LOLBAS list are MSPub.exe, Outlook.exe, and MSAccess.exe, which an attacker or a penetration tester could use to download third-party files. These files represent a range of functionalities within the Microsoft Office suite, from publishing (MSPub) to email management (Outlook) and database management (MSAccess).
While MSPub has been confirmed that it can download arbitrary payloads from a remote server, the other two are yet to be added to the LOLBAS list due to a technical error. However, their potential for abuse has been clearly demonstrated, and they are likely to be officially recognized as LOLBAS in the near future.
Beyond Microsoft: Other LOLBAS Sources
Apart from Microsoft binaries, Chako also found files from other developers that meet the LOLBAS criteria. One example is the popular PyCharm suite for Python development. This suite is widely used by developers, making it another potential target for attackers.
The PyCharm installation folder contains elevator.exe, which can execute arbitrary files with elevated privileges, and WinProcessListHelper.exe, which can serve reconnaissance purposes by enumerating all the processes running on the system. These files represent another facet of the LOLBAS threat, demonstrating that it is not limited to Microsoft products.
The Importance of Understanding LOLBAS
Understanding the concept of LOLBAS is crucial for both attackers and defenders. For attackers, it opens up a new avenue for exploiting systems. By using legitimate system files, they can carry out their activities while avoiding detection, making their attacks more effective.
For defenders, understanding LOLBAS helps define adequate methodologies and mechanisms to prevent or mitigate cyberattacks. By knowing how these files can be abused, they can develop strategies to detect and block such activities, protecting their systems and data from potential attacks.
In conclusion, the discovery of new LOLBAS files is a testament to the evolving nature of cybersecurity threats. As the list of LOLBAS continues to grow, so does the need for robust and dynamic defense mechanisms. By staying informed about these threats and how they operate, we can better protect our systems and data from potential attacks.