MDR Cybercriminals’ top LOLBins Cyberattacks most commonly rely on just a few common operating system components. Hugh Aver September 28, 2021 Cybercriminals have long used legitimate programs and operating system components to attack Microsoft Windows users, a tactic known as Living off the Land. In doing so, they’re attempting to kill several birds with one cyberstone, reducing the cost of developing a malware toolkit, minimizing their operating system footprint, and disguising their activity among legitimate IT actions. In other words, the main objective is to make detecting their malicious activity harder. For this reason, security experts have long monitored the activity of potentially unsafe executables, scripts, and libraries, going so far as to maintain a kind of registry under the LOLBAS project on GitHub. Our colleagues from Kaspersky Managed Detection and Response (MDR) service, who protect numerous companies across a wide range of business areas, often see this approach in real-life attacks. In the Managed Detection and Response Analyst Report, they examine the system components most typically used to attack modern businesses. Here’s what they discovered. Gold goes to PowerShell PowerShell, a software engine and scripting language with a command-line interface, is the most common legitimate tool by far among cybercriminals, despite Microsoft’s efforts to make it more secure and controllable. Of the incidents identified by our MDR service, 3.3% involved an attempted PowerShell exploit. What’s more, restricting the survey to critical incidents only, we see that PowerShell had a hand in one in five (20.3%, to be precise). Silver goes to rundll32.exe In second place we have the rundll32 host process, which is used to run code from dynamic-link libraries (DLLs). It was involved in 2% of all incidents, and 5.1% of critical ones. Bronze goes to several utilities We found five tools featured in 1.9% of all incidents: te.exe, part of the Test Authoring and Execution Framework, PsExec.exe, a tool for running processes on remote systems, CertUtil.exe, a tool for handling information from certification authorities, Reg.exe, the Microsoft Registry Console Tool, which can be used to change and add keys in the system registry from the command line, wscript.exe, Windows Script Host, designed to run scripts in scripting languages. These five executable files were used in 7.2% of critical incidents. Kaspersky MDR experts additionally observed the use of msiexec.exe, remote.exe, atbrocker.exe, cscript.exe, netsh.exe, schtasks.exe, excel.exe, print.exe, mshta.exe, msbuild.exe , powerpnt.exe, dllhost.exe, regsvr32.exe, winword.exe, and shell32.exe. See here for more results from the Managed Detection and Response Analyst Report.
Read next BloodyStealer is hunting for gamers Gamer accounts are in demand on the underground market. Proof positive is BloodyStealer, which steals account data from popular gaming stores.
Tips How to set up security and privacy in Strava Want to keep your runs, rides, and hikes private on Strava? This guide will walk you through the essential privacy settings in this popular fitness app.
Tips Run for your data: Privacy settings in jogging apps Running apps know a lot about their users, so it’s worth setting them up to ensure your data doesn’t fall into the wrong hands. Here’s how.
Tips When you get a login code for an account you don’t have What to do if you receive a text with a two-factor authentication code from a service you’ve never registered for.
Tips School and cyberthreats Why cybersecurity in education is critical, and how to protect schools from attacks.