LOLbins & LOLlibs: What are they and why do they matter?

LOLbins and LOLlibs are binaries and libraries that are found within Windows, attackers can use them to Live-Off-the-Land (LOL), which effectively means, carrying out an attack purely using windows-based binaries and libraries, more and more attackers, whether they are nation-state APTs, cybercriminals or script kiddies, are looking to exploit this method…

The reason it is so effective is simple, many windows components that exist today have actually existed since the dawn of Windows, a time when cyber-security wasn’t the top priority, but ease of use and basic functionality were, going back in time a little. Technically the first computer was invented in 1822, the first electronic general purpose digital computer was in 1945 from Alan Turing, and then in 1973 was the year of the first ‘personal computer’, yet the first widespread virus was in 1982…

So, this new tech about had 9 years, before someone decided to come along and ruin it, naturally of course WANs were around but the internet wasn’t properly around until 1983, which opens up a whole other can of worms to deal with, and back to the present… WE’VE STILL GOT THESE BINARIES AND LIBRARIES ON OUR PC’S!

So, some scenarios.

If we imagine a fake attack scenario, many are thinking of the typical .exe malware, that is blocked by antivirus and that’s the last we hear of it, or phishing as that is also quite on the forefront, but imagine for a moment, it wasn’t so long ago CVE-2022-30190 FOLLINA (MSDT) was at the forefront of our response teams, this is when Microsoft products were abused to spawn MSDT, a troubleshooter, to download a malicious html file, and then execute the code in this crafted html document with powershell…

Another example, some obfuscated javascript code is executed by a native windows script interpreter, like wscript/cscript, this then invokes bitsadmin to download some malicious content from an external source, which is then proxied via regsvr (MITRE,T1218.010), and actually, regsvr is a common method of execution, just purely because it is a good proxy execution vector.

These scenarios are absolutely real, they’re not the most advanced of attacks but they have good defence evasion techniques. It should speak for itself that if you’re the target of one of these latest threats and vulnerabilities, there’s not much more you can do other than be ready.

Utilising expertise.

At Stripe OLT, our response teams, and clients, needn’t have worked up a sweat when CVE-2022-3019 Follina was announced. We were already prepared and one step ahead:

We used a policy ban on office products spawning child processes
We’d set up alerting and SOAR actions for MSDT invoking powershell
Utilised hundreds of threat-intelligence sources providing indicator based support as a safety net, on top of MDE’s already glowing feature set for dealing with emerging threats.

To conclude, it’s a top priority for organisations to protect their data in this age (there’s a reason they call it the information age), and it is paramount that specialist teams are there to have eyes on screens, and on hand 24/7. These teams need to comprise of people from varied backgrounds, such as security ops, intelligence, and information protection, and they need to be reinforced by engineering teams, that can create custom detection packs and SOAR playbooks, providing instant response to the most severe threats, and of course, peace of mind.

The moral of the story.

It only takes one hacker group, like Lapsus$ (who are essentially a bunch of schoolkids, turned threat group) to show us just how unprepared and insecure technology can be. Take the recent Army Twitter account that got hacked… Talk about getting away with it lightly – We certainly don’t want any possible military action against hostile states in cyberspace!

Basically, it’s important to be prepared, otherwise we really are just preparing to fail.