Cybercriminals’ top LOLBins

Cybercriminals have long used legitimate programs and operating system components to attack Microsoft Windows users, a tactic known as Living off the Land. In doing so, they’re attempting to kill several birds with one cyberstone, reducing the cost of developing a malware toolkit, minimizing their operating system footprint, and disguising their activity among legitimate IT actions.

In other words, the main objective is to make detecting their malicious activity harder. For this reason, security experts have long monitored the activity of potentially unsafe executables, scripts, and libraries, going so far as to maintain a kind of registry under the LOLBAS project on GitHub.

Our colleagues from Kaspersky Managed Detection and Response (MDR) service, who protect numerous companies across a wide range of business areas, often see this approach in real-life attacks. In the Managed Detection and Response Analyst Report, they examine the system components most typically used to attack modern businesses. Here’s what they discovered.

Gold goes to PowerShell

PowerShell, a software engine and scripting language with a command-line interface, is the most common legitimate tool by far among cybercriminals, despite Microsoft’s efforts to make it more secure and controllable. Of the incidents identified by our MDR service, 3.3% involved an attempted PowerShell exploit. What’s more, restricting the survey to critical incidents only, we see that PowerShell had a hand in one in five (20.3%, to be precise).

Silver goes to rundll32.exe

In second place we have the rundll32 host process, which is used to run code from dynamic-link libraries (DLLs). It was involved in 2% of all incidents, and 5.1% of critical ones.

Bronze goes to several utilities

We found five tools featured in 1.9% of all incidents:

  • te.exe, part of the Test Authoring and Execution Framework,
  • PsExec.exe, a tool for running processes on remote systems,
  • CertUtil.exe, a tool for handling information from certification authorities,
  • Reg.exe, the Microsoft Registry Console Tool, which can be used to change and add keys in the system registry from the command line,
  • wscript.exe, Windows Script Host, designed to run scripts in scripting languages.

These five executable files were used in 7.2% of critical incidents.

Kaspersky MDR experts additionally observed the use of msiexec.exe, remote.exe, atbrocker.exe, cscript.exe, netsh.exe, schtasks.exe, excel.exe, print.exe, mshta.exe, msbuild.exe , powerpnt.exe, dllhost.exe, regsvr32.exe, winword.exe, and shell32.exe.