by 
Microsoft recently, published a conspicuous list of
application that are legitimate and yet could be exploited by hackers to bypass
the Windows defender.
These hackers try to slide into the organizations’ networks
and infect them via bypassing the security imparted by the defender.
and infect them via bypassing the security imparted by the defender.
The hackers usually make use of off-the-land attack tactics
where they use the victim’s operating system features or authentic network
administration tools to compromise the networks.
where they use the victim’s operating system features or authentic network
administration tools to compromise the networks.
The major motive of this project was to comprehend the
binaries that were being misused by the attacker.
binaries that were being misused by the attacker.
· LOLBins-
Living Off The Land Binaries
Living Off The Land Binaries
· LOLScripts-
Living Off The Land Scripts
Living Off The Land Scripts
· LOLLibs-
Living Off The Land Libraries
Living Off The Land Libraries
· GTFOBins-
Unix Platform Binaries
Unix Platform Binaries
The only point of fusing the legitimate app is to stay undetected
in order to bypass the security measures of the network.
in order to bypass the security measures of the network.
The LOTL tools are just a way to be as stealthy as possible as
be as malignant as possible without even being easily caught.
be as malignant as possible without even being easily caught.
The following applications are in the list that Microsoft published
and recommend to do away with if not in use:
and recommend to do away with if not in use:
· addinprocess.exe
· addinprocess32.exe
· addinutil.exe
· bginfo.exe[1]
· dbghost.exe
· dbgsvc.exe
· fsiAnyCpu.exe
· lxssmanager.dll
· msbuild.exe[2]
· system.management.automation.dll
· windbg.exe
Along with the published list Microsoft has also highly
recommended the users to download latest security updates.
recommended the users to download latest security updates.
In addition it has also provided the “deny file rules” for
all apps.
all apps.
Lateral movement and defense evasion happen to be the mostly
used ways to exploit the authentic applications.
used ways to exploit the authentic applications.
