Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts (
LOLBAS) that could be maliciously abused by threat actors to conduct post-exploitation activities.
"LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes," Pentera security researcher Nir Chako
said. "This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities."
To that end, the Israeli cybersecurity company said it uncovered nine LOLBAS downloaders and three executors that could enable adversaries to download and execute "more robust malware" on infected hosts.
This includes:
MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and
sftp.exe.
"In a complete attack chain, a hacker will use a LOLBAS downloader to download more robust malware," Chako said. "Then, they will try to execute it in a stealthy way. LOLBAS executors allow attackers to execute their malicious tools as part of a legitimate looking process tree on the system."
