Cybersecurity researchers have recently unveiled a significant discovery involving 11 living-off-the-land binaries-and-scripts (LOLBAS) with the potential for malicious exploitation by threat actors for post-exploitation activities.
LOLBAS, an attack method that harnesses system binaries and scripts for nefarious purposes, poses a unique challenge to security teams as it disguises malicious actions within trusted system utilities, making it difficult to distinguish between legitimate and harmful activities. The Israeli cybersecurity firm Pentera has identified nine LOLBAS downloaders and three executors that adversaries can utilize to download and execute more sophisticated malware on compromised hosts.
These findings highlight specific executables, such as MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe, that could be exploited by attackers as part of their strategy.
Pentera emphasizes the threat posed by LOLBAS executors, which allow cybercriminals to execute their malicious tools within a seemingly legitimate process tree, enhancing their ability to evade detection. However, Pentera also notes that attackers may leverage executables beyond those related to Microsoft to achieve similar malicious goals, illustrating the versatility of the LOLBAS approach.
In a related context, the research coincides with the disclosure of a novel attack vector by Vectra, involving the use of Microsoft Entra ID cross-tenant synchronization (CTS) to facilitate lateral movement within a compromised cloud environment.
This disclosure further underscores the evolving landscape of cyber threats and the need for robust security measures. As LOLBAS attacks exploit pre-existing system components, these findings serve as a reminder of the importance of proactive monitoring and enhanced detection mechanisms to counteract potential threats posed by trusted utilities that can be repurposed by threat actors.