Easy LOLBAS Wins for Purple Teams

What Are LOLBINS/LOLBAS?

Living Off the Land Binaries and Scripts (LOLBAS) is a technique used by adversaries and red teamers alike to abuse, misuse and execute malicious payloads on target. This is a great open source project of known binaries which provide resources to adversaries. The perk of these LOLBAS tools and executables is that they are built-in to the Operating System, and are typically signed by Microsoft. These allow adversaries to evade EDRs and other security tooling. We will look at several examples, and detections to improve security and make living off the land more difficult for would-be attackers.  The five techniques shown below are easy to test with SCYTHE and provide a baseline for LOLBAS detections.

Rundll32.exe

‍

Rundll32.exe is built into Windows operating systems. It allows a normal, unprivileged user to execute DLLs by providing the path to the DLL and EntryPoint to the function. This can be found by clicking Download Campaign Client in the Campaign View of SCYTHE. 

‍

‍

The default entrypoint for the campaign is AbsoluteClientMain. This can be executed from a PpowerSshell or Windows Command Promptcmd prompt by running the following command. 

‍

Execution Method:

rundll32.exe /path/to/scythe.dll,AbsoluteClientMain

Detections:

• Sigma: Sysmon rundll32 Net Connections
• Sigma: Win Suspend Rundll32 Activity

More Information: 

• LOLBAS Rundll32.exe

RegSrv32.exe

‍Regsrv32.exe is also built into every version of Windows. It allows normal, unprivileged users to register and unregister DLLs. In order to execute this, the DLL EentryPpoint must be named ‘DllRegisterServer’. Similar to the previous technique, theThis EntryPoint can be found by clicking Download Campaign Client in the Campaign View of SCYTHE. Since the EntryPoint needs to be changed to ‘DllRegisterServer’, it can be copied and pasted over the default.

Execution Methods:

regsvr32.exe /path/to/scythe.dll

Detections:

• Sigma: Windows Suspicious Regsvr32 Anomalies
• Sigma: Sysmon Regsvr32 Network Activity
• Sigma: DNS Query RegSvr32 Network Activity
• Sigma: Win Suspicious RegSvr32 Flags Anomaly
• Sigma: Sysmon Suspicious CLR Logs 

More Information:

• LOLBAS Regsvr32.exe

‍

ConHost.exe 

ConHost.exe is built into every version of Windows. It allows normal, unprivileged users to execute a malicious payload as a child process of conhost.exe. There is nothing specifically needed on SCYTHE’s side to use this command. You can download the 32-bit32bit or 64-bit executable file fromfilePE from the SCYTHE server and execute it as follows.

Execution Methods:

conhost.exe /path/to/scythe.exe

Detections:

• Sigma: Process Creation Windows Suspicious ConHost

More Information:

• LOLBAS Conhost.exe

Forfiles

Forfiles.exe is built into Windows. It allows normal, unprivileged users to execute a malicious executable file as a part of batch-processing large amounts of data. This is created as a child process of forfiles. There is nothing specifically needed on SCYTHE’s side to use this command. You can download the 32-bit or 64-bit executable from the SCYTHE server and execute it as follows.

‍

Execution Methods:

forfiles /p c:\windows\system32 /m notepad.exe /c c:\path\to\scythe.exe

Detections:

• Sigma: Windows Indirect Command

More Information:

• LOLBAS Forfiles.exe

‍

MavInject.exe

Last, but certainly not least is Mavinject.exe. This legitimate Windows binary is used to inject DLLs into running processes. It can be used by adversaries to inject malicious payloads into  legitimate running processes. In order to execute this, the DLL EntryPoint must be named ‘DllMain’. The menu to change the EntryPoint can be found by clicking Download Campaign Client in the Campaign View of SCYTHE.  

‍

Execution Methods:

mavinject.exe PID /INJECTRUNNING /path/to/scythe.dll

Detections:

• Sigma: Windows MavInject Process Injection
• Sigma: Sysmon Creation MavInject DLL

More Information:

• LOLBAS Mavinject.exe

‍

Conclusion: 

These five examples of LOLBAS techniques are great for providing new or veteran purple teams with coverage of popular execution methods, as well as SIGMA detections for them. By monitoring and detecting these LOLBAS techniques, you increase the level of the Pyramid of Pain for would be adversaries. These LOLBAS detections can be modified to your environment with tools such as Uncoder.

‍‍

This blog post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

About SCYTHE

SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io. 

‍