{"id":42180,"date":"2021-09-28T15:17:06","date_gmt":"2021-09-28T19:17:06","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=42180"},"modified":"2021-09-28T15:17:06","modified_gmt":"2021-09-28T19:17:06","slug":"most-used-lolbins","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/most-used-lolbins\/42180\/","title":{"rendered":"Cybercriminals&#8217; top LOLBins"},"content":{"rendered":"<p>Cybercriminals have long used legitimate programs and operating system components to attack Microsoft Windows users, a tactic known as <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/lotl-living-off-the-land\/\" target=\"_blank\" rel=\"noopener\">Living off the Land<\/a>. In doing so, they\u2019re attempting to kill several birds with one cyberstone, reducing the cost of developing a malware toolkit, minimizing their operating system footprint, and disguising their activity among legitimate IT actions.<\/p>\n<p>In other words, the main objective is to make detecting their malicious activity harder. For this reason, security experts have long monitored the activity of potentially unsafe executables, scripts, and libraries, going so far as to maintain a kind of registry under the <a href=\"https:\/\/github.com\/LOLBAS-Project\" target=\"_blank\" rel=\"nofollow noopener\">LOLBAS project on GitHub<\/a>.<\/p>\n<p>Our colleagues from <a href=\"https:\/\/www.kaspersky.com\/enterprise-security\/managed-detection-and-response?icid=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Managed Detection and Response (MDR)<\/a> service, who protect numerous companies across a wide range of business areas, often see this approach in real-life attacks. In the <a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/07\/20155845\/MDR_Analyst_Report_Q4-2020.pdf\" target=\"_blank\" rel=\"noopener\">Managed Detection and Response Analyst Report<\/a>, they examine the system components most typically used to attack modern businesses. Here\u2019s what they discovered.<\/p>\n<h2>Gold goes to PowerShell<\/h2>\n<p>PowerShell, a software engine and scripting language with a command-line interface, is the most common legitimate tool by far among cybercriminals, despite Microsoft\u2019s efforts to make it more secure and controllable. Of the incidents identified by our MDR service, 3.3% involved an attempted PowerShell exploit. What\u2019s more, restricting the survey to critical incidents only, we see that PowerShell had a hand in one in five (20.3%, to be precise).<\/p>\n<h2>Silver goes to rundll32.exe<\/h2>\n<p>In second place we have the rundll32 host process, which is used to run code from dynamic-link libraries (DLLs). It was involved in 2% of all incidents, and 5.1% of critical ones.<\/p>\n<h2>Bronze goes to several utilities<\/h2>\n<p>We found five tools featured in 1.9% of all incidents:<\/p>\n<ul>\n<li>te.exe, part of the Test Authoring and Execution Framework,<\/li>\n<li>PsExec.exe, a tool for running processes on remote systems,<\/li>\n<li>CertUtil.exe, a tool for handling information from certification authorities,<\/li>\n<li>Reg.exe, the Microsoft Registry Console Tool, which can be used to change and add keys in the system registry from the command line,<\/li>\n<li>wscript.exe, Windows Script Host, designed to run scripts in scripting languages.<\/li>\n<\/ul>\n<p>These five executable files were used in 7.2% of critical incidents.<\/p>\n<p>Kaspersky MDR experts additionally observed the use of msiexec.exe, remote.exe, atbrocker.exe, cscript.exe, netsh.exe, schtasks.exe, excel.exe, print.exe, mshta.exe, msbuild.exe , powerpnt.exe, dllhost.exe, regsvr32.exe, winword.exe, and shell32.exe.<\/p>\n<p>See <a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2021\/07\/20155845\/MDR_Analyst_Report_Q4-2020.pdf\" target=\"_blank\" rel=\"noopener\">here<\/a> for more results from the Managed Detection and Response Analyst Report.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cyberattacks most commonly rely on just a few common operating system components.  <\/p>\n","protected":false},"author":2581,"featured_media":42181,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[3965,4232,3795,113],"class_list":{"0":"post-42180","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-incidents","10":"tag-lolbins","11":"tag-mdr","12":"tag-windows"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/most-used-lolbins\/42180\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/most-used-lolbins\/23392\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/most-used-lolbins\/18861\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/most-used-lolbins\/25456\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/most-used-lolbins\/23525\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/most-used-lolbins\/22977\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/most-used-lolbins\/26092\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/most-used-lolbins\/25682\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/most-used-lolbins\/31557\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/most-used-lolbins\/10109\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/most-used-lolbins\/18302\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/most-used-lolbins\/15350\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/most-used-lolbins\/27489\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/most-used-lolbins\/24393\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/most-used-lolbins\/29758\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/most-used-lolbins\/29554\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/mdr\/","name":"MDR"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/42180","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2581"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=42180"}],"version-history":[{"count":4,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/42180\/revisions"}],"predecessor-version":[{"id":42199,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/42180\/revisions\/42199"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/42181"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=42180"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=42180"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=42180"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}