โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK, so call the nearest office.

BriSTOL HQ & The South West

London & Surrounding Areas

Manchester & the North

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call-back.

First we need a few details.

ENQUIRY - Contact Popup DEPRECIATED (#3)

Keep up to date with the experts

Get insights directly to your email inbox

MAIL LIST - Newsletter, Exit Intent Popup (#13)

Follow us on social

โ€œWe needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.โ€

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call

First we need a few details.

ENQUIRY - Popup w/ Captcha for light backgrounds (#21)
Expert Intel

LOLbins & LOLlibs: What are they and why do they matter?

Published: December 15, 2021
Updated: May 29, 2024
Expert: Cam C
Role: SIEM Engineer
Specialises in: Managed Security
What you will learn:
How and why binaries and libraries within Windows, are exploited.
Many windows components that exist today have actually existed since the dawn of Windows, a time when cyber-security wasnโ€™t the top priority...

LOLbins and LOLlibs are binaries and libraries that are found within Windows, attackers can use them to Live-Off-the-Land (LOL), which effectively means, carrying out an attack purely using windows-based binaries and libraries, more and more attackers, whether they are nation-state APTs, cybercriminals or script kiddies, are looking to exploit this methodโ€ฆ

The reason it is so effective is simple, many windows components that exist today have actually existed since the dawn of Windows, a time when cyber-security wasnโ€™t the top priority, but ease of use and basic functionality were, going back in time a little. Technically the first computer was invented in 1822, the first electronic general purpose digital computer was in 1945 from Alan Turing, and then in 1973 was the year of the first โ€˜personal computerโ€™, yet the first widespread virus was in 1982โ€ฆ

So, this new tech about had 9 years, before someone decided to come along and ruin it, naturally of course WANs were around but the internet wasnโ€™t properly around until 1983, which opens up a whole other can of worms to deal with, and back to the presentโ€ฆ WEโ€™VE STILL GOT THESE BINARIES AND LIBRARIES ON OUR PCโ€™S! 

So, some scenarios.

If we imagine a fake attack scenario, many are thinking of the typical .exe malware, that is blocked by antivirus and thatโ€™s the last we hear of it, or phishing as that is also quite on the forefront, but imagine for a moment, it wasnโ€™t so long ago CVE-2022-30190 FOLLINA (MSDT) was at the forefront of our response teams, this is when Microsoft products were abused to spawn MSDT, a troubleshooter, to download a malicious html file, and then execute the code in this crafted html document with powershellโ€ฆ

Another example, some obfuscated javascript code is executed by a native windows script interpreter, like wscript/cscript, this then invokes bitsadmin to download some malicious content from an external source, which is then proxied via regsvr (MITRE,T1218.010), and actually, regsvr is a common method of execution, just purely because it is a good proxy execution vector.

These scenarios are absolutely real, theyโ€™re not the most advanced of attacks but they have good defence evasion techniques. It should speak for itself that if youโ€™re the target of one of these latest threats and vulnerabilities, thereโ€™s not much more you can do other than be ready.

Utilising expertise.

At Stripe OLT, our response teams, and clients, neednโ€™t have worked up a sweat when CVE-2022-3019 Follina was announced. We were already prepared and one step ahead:

  1. We used a policy ban on office products spawning child processes
  2. Weโ€™d set up alerting and SOAR actions for MSDT invoking powershell
  3. Utilised hundreds of threat-intelligence sources providing indicator based support as a safety net, on top of MDEโ€™s already glowing feature set for dealing with emerging threats.

To conclude, itโ€™s a top priority for organisations to protect their data in this age (thereโ€™s a reason they call it the information age), and it is paramount that specialist teams are there to have eyes on screens, and on hand 24/7. These teams need to comprise of people from varied backgrounds, such as security ops, intelligence, and information protection, and they need to be reinforced by engineering teams, that can create custom detection packs and SOAR playbooks, providing instant response to the most severe threats, and of course, peace of mind.

The moral of the story.

It only takes one hacker group, like Lapsus$ (who are essentially a bunch of schoolkids, turned threat group) to show us just how unprepared and insecure technology can be. Take the recent Army Twitter account that got hackedโ€ฆ Talk about getting away with it lightly โ€“ We certainly donโ€™t want any possible military action against hostile states in cyberspace!

Basically, itโ€™s important to be prepared, otherwise we really are just preparing to fail.