https://saulpanders.github.io/2025/01/20/lolbas-wbemtest.html

#lolbas #windows #wmi

10 популярных техник обхода EDR

Алексей Баландин, Security Vision На сегодняшний день невозможно представить защиту конечных точек без системы EDR, которая, в отличие от устаревшего антивируса, основана в первую очередь на поведенческом анализе происходящих в системе событий. Потребность в этой системе резко возросла за последние 10 лет в связи с тем, что угрозы совершенствуются из года в год. Давно стало очевидно, что эффективно противостоять атакующим можно не столько за счет статического анализа кода, сигнатурного метода, сколько за счет изучения, анализа и блокировки их поведенческих паттернов, используемых тактик, техник и процедур. Этим и занимается класс продуктов EDR и активно развивается за счет постоянного пополнения базы знаний о новых методах атак. Обратной стороной медали является то, что атакующие не стоят на месте и разрабатывают все новые способы обхода и противодействия EDR. Далее рассмотрим техники обхода EDR, которые были наиболее популярны у атакующих за последние 5 лет.

https://habr.com/ru/companies/securityvison/articles/973172/

#edr #byovd #lolbas #обход_защиты #обход_антивируса

Семейство Living off the Land: как обнаруживать и митигировать

Данная статья посвящена обзору целого класса способов и техник атак, направленных на маскирование своей активности и обход имеющихся механизмов защиты и обнаружения. Этот класс техник атак достаточно стар и носит название Living Off the Land, он активно используется злоумышленниками на протяжении последних нескольких десятилетий — сейчас практически ни одна APT атака не обходится без использования данных техник. Они завоевали огромную популярность среди злоумышленников в первую очередь ввиду того, что в силу своей природы позволяют им оставаться ниже радара SOC, маскируясь под легитимные системные события. Эти техники подразумевают использование имеющихся механизмов ОС и доверенных, не вызывающих подозрения инструментов, для скрытного выполнения кода, горизонтального перемещения, удаленного контроля, сбора данных, повышения привилегий и т.д. Также в статье будут рассмотрены способы обнаружения и противодействия данному классу техник атак.

https://habr.com/ru/companies/securityvison/articles/954698/

#информационная_безопасность #lolbas #gtfobins #living_off_the_land #edr

🔍 Detection Method
===================

🛠️ Tool

Opening: LOLBASline is a PowerShell module designed to baseline Windows endpoints for Living Off The Land Binaries and Scripts (LOLBAS). The tool enumerates entries from the official LOLBAS YAML dataset, verifies binary presence, and attempts representative command executions to assess whether those binaries can be used for agentless or fileless TTPs.

Key Features:
• Repository handling: Auto-clones the LOLBAS project when no local path is supplied, parsing YAML definitions for metadata and execution examples.
• Presence verification: Confirms file system presence and common install paths for listed binaries and scripts.
• Execution capability tests: Attempts safe, representative commands configured in the YAML to validate whether an observable execution path exists.
• Reporting: Produces a structured CSV containing detected items, execution success/failure, timestamps, and YAML-sourced metadata for downstream analysis.

Use Cases:
• Rapid endpoint assessment in lab and red-team environments to enumerate potential living-off-the-land opportunities.
• Creating an inventory of allowed vs. risky binaries for defensive teams and baselining for detection tuning.

Strengths & Considerations:
• Strengths include automation of YAML parsing, consolidated reporting, and an explicit focus on execution capability rather than mere presence.
• Considerations include operational risk: the execution tests are intentionally active and may trigger EDR, SIEM alerts, or unintended side effects. The README warns explicitly against running on production systems.

Detection & Defensive Value:
• Output CSV can be ingested into asset databases or SIEMs to correlate detected LOLBAS items with telemetry and to prioritize detection rules for high-risk executables.

Limitations:
• The tool relies on YAML examples that may not cover all execution vectors or contextual privilege constraints; a successful representative command does not prove full exploitability in all contexts.
• False positives/negatives are possible depending on path variations, aliasing, and environment-specific restrictions.

🔹 tool #LOLBAS #PowerShell #Windows #baseline

🔗 Source: https://github.com/magicsword-io/LOLBASline

🚨 Control-Flow Flattening Obfuscated #JavaScript Drops #SnakeKeylogger.
The #malware uses layered obfuscation to hide execution logic and evade traditional detection.
⚠️ Our data shows banking is the most affected sector among our users, nearly matching all the other industries combined. As part of widespread #MaaS #phishing campaigns, Snake targets high-value industries including fintech, healthcare, and energy, making instant threat visibility and behavioral analysis essential.

🔗 Execution chain:
Obfuscated JS ➡️ ScriptRunner.exe ➡️ EXE ➡️ CMD ➡️ extrac32.exe ➡️ PING delay ➡️ Snake

The attack begins with a loader using control-flow flattening (#MITRE T1027.010) to obscure its logic behind nested while-loops and string shifts.

👾 The loader uses COM automation via WshShell3, avoiding direct #PowerShell or CMD calls and bypassing common detection rules.

❗️ Obfuscated CMD scripts include non-ASCII (Japanese) characters and environment variables like %…%, further complicating static and dynamic analysis.

Two CMD scripts are dropped into ProgramData to prepare the execution environment. This stage involves #LOLBAS abuse: legitimate DLLs are copied from SysWOW64 into “/Windows /” and Public directories. The operation is performed using extrac32.exe, known #LOLBin and JS script functionality. This combination helps bypass detection by imitating trusted system behavior.

📌 Persistence is established by creating a Run registry key pointing to a .url file containing the execution path.
🐍 Snake is launched after a short delay using a PING, staggering execution.

👨‍💻 See execution on a live system and download actionable report:
https://app.any.run/tasks/0d53bef9-c623-4c2f-9ce9-f1d3d05d21f3/?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_term=240725&utm_content=linktoservice

Explore #ANYRUN’s threat database to proactively hunt for similar threats and techniques and improve the precision and efficiency of your organization's security response:
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522commandLine:%255C%2522extrac32*.dll*.%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522commandLine:%255C%2522%255C%255C%255C%255CWindows%2520%255C%255C%255C%255C%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522commandLine:%255C%2522ping%2520%2520127.0.0.1%2520-n%252010%255C%2522%2522,%2522dateRange%2522:180%7D
🔹 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=obfuscated_js_snake&utm_content=linktoservice&utm_term=240725#%7B%2522query%2522:%2522registryKey:%255C%2522%255C%255CRun$%255C%2522%2520AND%2520registryValue:%255C%2522.url$%255C%2522%2522,%2522dateRange%2522:180%7D

#IOCs:
54fcf77b7b6ca66ea4a2719b3209f18409edea8e7e7514cf85dc6bcde0745403
ae53759b1047c267da1e068d1e14822d158e045c6a81e4bf114bd9981473abbd
efd8444c42d4388251d4bc477fb712986676bc1752f30c9ad89ded67462a59a0
dbe81bbd0c3f8cb44eb45cd4d3669bd72bf95003804328d8f02417c2df49c481
183e98cd972ec4e2ff66b9503559e188a040532464ee4f979f704aa5224f4976
reallyfreegeoip[.]org
104[.]21[.]96[.]1
https[:]//reallyfreegeoip[.]org/xml/78[.]88[.]249[.]143
registryValue: Iaakcppq.url

👨‍💻 Gain full visibility with #ANYRUN to make faster, smarter security decisions.

#infosec #cybersecurity

🚨 New #phishing campaign uses #DBatLoader to drop #Remcos RAT.
The infection relies on #UAC bypass with mock directories, obfuscated .cmd scripts, Windows #LOLBAS techniques, and advanced persistence techniques. At the time of analysis, the samples had not yet been submitted to #VirusTotal ⚠️

🔗 Execution chain:
#Phish ➡️ Archive ➡️ DBatLoader ➡️ CMD ➡️ SndVol.exe (Remcos injected)

👨‍💻 #ANYRUN allows analysts to quickly uncover stealth techniques like LOLBAS abuse, injection, and UAC bypass, all within a single interactive analysis session. See analysis: https://app.any.run/tasks/c57ca499-51f5-4c50-a91f-70bc5a60b98d/?utm_source=mastodon&utm_medium=post&utm_campaign=dbatloader&utm_term=150525&utm_content=linktoservice

🛠️ Key techniques:
🔹 #Obfuscated with #BatCloak .cmd files are used to download and run #payload.
🔹 Remcos injects into trusted system processes (SndVol.exe, colorcpl.exe).
🔹 Scheduled tasks trigger a Cmwdnsyn.url file, which launches a .pif dropper to maintain persistence.
🔹 Esentutl.exe is abused via LOLBAS to copy cmd.exe into the alpha.pif file.
🔹 UAC bypass is achieved with fake directories like “C:\Windows “ (note the trailing space), exploiting how Windows handles folder names.

⚠️ This threat uses multiple layers of stealth and abuse of built-in Windows tools. Behavioral detection and attention to unusual file paths or another activity are crucial to catching it early. #ANYRUN Sandbox provides the visibility needed to spot these techniques in real time 🚀

🚨 #XWorm leverages LOLBAS techniques to abuse #CMSTPLUA

CMSTPLUA is a legitimate Windows tool that can be exploited for system binary proxy execution using #LOLBAS techniques, bypassing security controls like #UAC, and executing #malicious code, putting organizations at risk.

⚙️ With Script Tracer in #ANYRUN Sandbox, a SOC team can analyze scripts more efficiently. It simplifies script breakdowns, making it easier to understand their behavior and get key insights.
The #script embedded in the INF file is used to coordinate an execution chain:
1️⃣ EXE starts cmstp.exe which is used to launch a #malicious script from an #INF file.

2️⃣ CMSTPLUA ➡️ mshta.exe ➡️ cmd.exe ➡️ EXE ➡️ PowerShell
– #MSHTA loads a #VBScript from memory to run an executable and shuts down the #CMSTP process.
– EXE launches #PowerShell to add itself to #MicrosoftDefender exceptions.

3️⃣ Finally, it runs the XWorm #payload from the #System32 directory and adds itself to the Scheduled Task for persistence.

👨‍💻 Check out the analysis and see Script Tracer in action:
https://app.any.run/tasks/9352d612-8eaa-4fac-8980-9bee27b96bce/?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_term=130225&utm_content=linktoservice

Living-off-the-Land techniques have been leveraged for years to execute malicious operations using legitimate system utilities.
Use these TI Lookup search queries to find similar samples and improve the efficiency of your organization's security response:
🔍 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_content=linktoti&utm_term=130225#%7B%2522query%2522:%2522commandLine:%255C%2522%255C%255C.inf%255C%2522%2520AND%2520imagePath:%255C%2522cmstp%255C%255C.exe$%255C%2522%2522,%2522dateRange%2522:180%7D
🔍 https://intelligence.any.run/analysis/lookup?utm_source=mastodon&utm_medium=post&utm_campaign=cmstplua&utm_content=linktoti&utm_term=130225#%7B%2522query%2522:%2522commandLine:%255C%2522mshta%2520vbscript:%255C%2522%2522,%2522dateRange%2522:180%7D

Analyze latest #malware and #phishing threats with #ANYRUN 🚀

#cybersecurity #infosec

Was looking for a good Awesome list on Living Off the Land ( #LOL #LOtL ) tools/techniques. Found some helpful sites / repos but either nothing I could contribute to or it was limited.

So... I made one: https://github.com/danzek/awesome-lol-commonly-abused

Contributions welcome, whether by replying to this post or sending a PR on GitHub.

#lolbins #lolbas

#LOLBAS project update:

Entries now have placeholders for paths, URLs, and more. This makes it easier to visually see what parts are "variable", and for LOLBAS API users (https://lolbas-project.github.io/api/) it'll be easier to use with automation.

Check it out:
⭐ https://lolbas-project.github.io