Keep up to date with the experts

Get insights direct to your email inbox

Subscription Form exit intent popup

Follow us on social

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager

Simon Darley

Trusted by industry leaders

Request a Quote.

First we need a few details.

Contact Form Primary popup

By continuing, you agree to our Terms & Privacy Policy

Expert Intel

LOLbins & LOLlibs: What are they and why do they matter?

Expert: Cam C
Role: SIEM Engineer
Specialises in: Managed Security
What you will learn:
How and why binaries and libraries within Windows, are exploited.
Many windows components that exist today have actually existed since the dawn of Windows, a time when cyber-security wasn’t the top priority...

LOLbins and LOLlibs are binaries and libraries that are found within Windows, attackers can use them to Live-Off-the-Land (LOL), which effectively means, carrying out an attack purely using windows-based binaries and libraries, more and more attackers, whether they are nation-state APTs, cybercriminals or script kiddies, are looking to exploit this method…

The reason it is so effective is simple, many windows components that exist today have actually existed since the dawn of Windows, a time when cyber-security wasn’t the top priority, but ease of use and basic functionality were, going back in time a little. Technically the first computer was invented in 1822, the first electronic general purpose digital computer was in 1945 from Alan Turing, and then in 1973 was the year of the first ‘personal computer’, yet the first widespread virus was in 1982…

So, this new tech about had 9 years, before someone decided to come along and ruin it, naturally of course WANs were around but the internet wasn’t properly around until 1983, which opens up a whole other can of worms to deal with, and back to the present… WE’VE STILL GOT THESE BINARIES AND LIBRARIES ON OUR PC’S! 

So, some scenarios.

If we imagine a fake attack scenario, many are thinking of the typical .exe malware, that is blocked by antivirus and that’s the last we hear of it, or phishing as that is also quite on the forefront, but imagine for a moment, it wasn’t so long ago CVE-2022-30190 FOLLINA (MSDT) was at the forefront of our response teams, this is when Microsoft products were abused to spawn MSDT, a troubleshooter, to download a malicious html file, and then execute the code in this crafted html document with powershell…

Another example, some obfuscated javascript code is executed by a native windows script interpreter, like wscript/cscript, this then invokes bitsadmin to download some malicious content from an external source, which is then proxied via regsvr (MITRE,T1218.010), and actually, regsvr is a common method of execution, just purely because it is a good proxy execution vector.

These scenarios are absolutely real, they’re not the most advanced of attacks but they have good defence evasion techniques. It should speak for itself that if you’re the target of one of these latest threats and vulnerabilities, there’s not much more you can do other than be ready.

Utilising expertise.

At Stripe OLT, our response teams, and clients, needn’t have worked up a sweat when CVE-2022-3019 Follina was announced. We were already prepared and one step ahead:

  1. We used a policy ban on office products spawning child processes
  2. We’d set up alerting and SOAR actions for MSDT invoking powershell
  3. Utilised hundreds of threat-intelligence sources providing indicator based support as a safety net, on top of MDE’s already glowing feature set for dealing with emerging threats.

To conclude, it’s a top priority for organisations to protect their data in this age (there’s a reason they call it the information age), and it is paramount that specialist teams are there to have eyes on screens, and on hand 24/7. These teams need to comprise of people from varied backgrounds, such as security ops, intelligence, and information protection, and they need to be reinforced by engineering teams, that can create custom detection packs and SOAR playbooks, providing instant response to the most severe threats, and of course, peace of mind.

The moral of the story.

It only takes one hacker group, like Lapsus$ (who are essentially a bunch of schoolkids, turned threat group) to show us just how unprepared and insecure technology can be. Take the recent Army Twitter account that got hacked… Talk about getting away with it lightly – We certainly don’t want any possible military action against hostile states in cyberspace!

Basically, it’s important to be prepared, otherwise we really are just preparing to fail. 

find us on Youtube

The latest in cyber & IT news, now on youtube!

Our latest expert Intel

  • The Crucial Shift In Ransomware Tactics

    March 24, 2023
    Read full article
  • edge

    Why Microsoft Edge is the best browser for business

    March 13, 2023
    Read full article
  • Windows 11 Business Premium

    A Journey to Modern Endpoint Management

    February 3, 2023
    Read full article
  • What is Open Authorisation Exploitation?

    January 23, 2023
    Read full article
  • Building the Right Business Culture to Manage Human Error - Ryan Pullen X ESW

    January 26, 2023
    Read full article
  • The Uber & Rockstar Hacks - Why there is no magic bullet.

    January 26, 2023
    Read full article
  • Open-Source Intelligence (OSINT) - Why it matters.

    January 26, 2023
    Read full article
  • TEDx Talk: Ryan Pullen – How clicking a link can cost millions.

    January 26, 2023
    Read full article
  • LOLbins & LOLlibs: What are they and why do they matter?

    January 26, 2023
    Read full article