CyberTech

Level 31
Verified
A binary in Windows 10 responsible for setting an image for the desktop and lock screen can help attackers download malware on a compromised system without raising the alarm.
Known as living-of-the-land binaries (LoLBins), these files come with the operating system and have a legitimate purpose. Attackers of all colors are abusing them in post-exploitation phases to hide malicious activity.

The new LoL in the Bin
An attacker can use LoLBins to download and install malware, bypass security controls such as UAC or WDAC. Typically, the attack involves fileless malware and reputable cloud services.
 

silversurfer

Level 61
Verified
Trusted
Content Creator
Malware Hunter
Executive Summary
  • Security professionals care about uncovering LOLBins; we found a new one that can be used to download arbitrary files as an alternative to certutil.
  • It can be run by standard users on most versions of Window 10 used in the enterprise.
  • EDR practitioners should update their queries and watchlists to treat desktopimgdownldr.exe (new LOLBin binary) like certutil.exe.
 

jogs

Level 20
Verified
Is there anything in Windows that can't be abused!
I think every program can be abused, no matter how much a program is updated and patched there will always be a way to hack it.
Its also true for hardware, whatever protection the vendor makes there will always be someone who will be able to crack that protection.
 
Top