“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager
Simon Darley
Trusted by industry leaders

Let's Talk

Call us on one of the numbers below, we cover the whole of the UK.

BriSTOL HQ & The South West

+44 (0) 117 974 5179

London & Surrounding Areas

+44 (0) 207 043 7044

Manchester & the North West

+44 (0) 161 399 1305

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call-back.

First we need a few details.

Contact Form Primary popup

Keep up to date with the experts

Get insights direct to your email inbox

NEWSLETTER - Exit Intent

Follow us on social

“We needed to find solutions to a variety of issues whilst being a complex business, operating in a 24/7 environment. Stripe OLT listened and understood immediately the challenges we faced.”

IT Operations Manager
Simon Darley
Trusted by industry leaders

Request a Call

First we need a few details.

Contact Form Primary popup
Expert Intel

LOLbins & LOLlibs: What are they and why do they matter?

Published: December 15, 2021
Updated: June 16, 2023
Expert: Cam C
Role: SIEM Engineer
Specialises in: Managed Security
What you will learn:
How and why binaries and libraries within Windows, are exploited.
Many windows components that exist today have actually existed since the dawn of Windows, a time when cyber-security wasn’t the top priority...

LOLbins and LOLlibs are binaries and libraries that are found within Windows, attackers can use them to Live-Off-the-Land (LOL), which effectively means, carrying out an attack purely using windows-based binaries and libraries, more and more attackers, whether they are nation-state APTs, cybercriminals or script kiddies, are looking to exploit this method…

The reason it is so effective is simple, many windows components that exist today have actually existed since the dawn of Windows, a time when cyber-security wasn’t the top priority, but ease of use and basic functionality were, going back in time a little. Technically the first computer was invented in 1822, the first electronic general purpose digital computer was in 1945 from Alan Turing, and then in 1973 was the year of the first ‘personal computer’, yet the first widespread virus was in 1982…

So, this new tech about had 9 years, before someone decided to come along and ruin it, naturally of course WANs were around but the internet wasn’t properly around until 1983, which opens up a whole other can of worms to deal with, and back to the present… WE’VE STILL GOT THESE BINARIES AND LIBRARIES ON OUR PC’S! 

So, some scenarios.

If we imagine a fake attack scenario, many are thinking of the typical .exe malware, that is blocked by antivirus and that’s the last we hear of it, or phishing as that is also quite on the forefront, but imagine for a moment, it wasn’t so long ago CVE-2022-30190 FOLLINA (MSDT) was at the forefront of our response teams, this is when Microsoft products were abused to spawn MSDT, a troubleshooter, to download a malicious html file, and then execute the code in this crafted html document with powershell…

Another example, some obfuscated javascript code is executed by a native windows script interpreter, like wscript/cscript, this then invokes bitsadmin to download some malicious content from an external source, which is then proxied via regsvr (MITRE,T1218.010), and actually, regsvr is a common method of execution, just purely because it is a good proxy execution vector.

These scenarios are absolutely real, they’re not the most advanced of attacks but they have good defence evasion techniques. It should speak for itself that if you’re the target of one of these latest threats and vulnerabilities, there’s not much more you can do other than be ready.

Utilising expertise.

At Stripe OLT, our response teams, and clients, needn’t have worked up a sweat when CVE-2022-3019 Follina was announced. We were already prepared and one step ahead:

  1. We used a policy ban on office products spawning child processes
  2. We’d set up alerting and SOAR actions for MSDT invoking powershell
  3. Utilised hundreds of threat-intelligence sources providing indicator based support as a safety net, on top of MDE’s already glowing feature set for dealing with emerging threats.

To conclude, it’s a top priority for organisations to protect their data in this age (there’s a reason they call it the information age), and it is paramount that specialist teams are there to have eyes on screens, and on hand 24/7. These teams need to comprise of people from varied backgrounds, such as security ops, intelligence, and information protection, and they need to be reinforced by engineering teams, that can create custom detection packs and SOAR playbooks, providing instant response to the most severe threats, and of course, peace of mind.

The moral of the story.

It only takes one hacker group, like Lapsus$ (who are essentially a bunch of schoolkids, turned threat group) to show us just how unprepared and insecure technology can be. Take the recent Army Twitter account that got hacked… Talk about getting away with it lightly – We certainly don’t want any possible military action against hostile states in cyberspace!

Basically, it’s important to be prepared, otherwise we really are just preparing to fail. 

Our latest expert Intel

  • March 27, 2024
    Read full article
  • Gootkit
    March 7, 2024
    Read full article
  • February 5, 2024
    Read full article
  • Malvertising
    December 20, 2023
    Read full article
  • Microsoft Ignite
    January 19, 2024
    Read full article
  • keys
    January 19, 2024
    Read full article
  • December 19, 2023
    Read full article
  • CVE-2023-42439
    November 9, 2023
    Read full article
  • password
    September 11, 2023
    Read full article
  • November 24, 2023
    Read full article
  • August 1, 2023
    Read full article
  • July 27, 2023
    Read full article