.png)
The list of LOLBAS files - legitimate binaries and scripts present in Windows that can be abused for malicious purposes, will soon include the main executables for Microsoft’s Outlook email client and Access database management system.
The main executable for the Microsoft Publisher application has already been confirmed that it can download payloads from a remote server.
LOLBAS stands for Living-off-the-Land Binaries and Scripts and are typically described as signed files that are either native to the Windows operating system or downloaded from Microsoft.
They are legitimate tools that hackers can abuse during post-exploitation activity to download and/or run payloads without triggering defensive mechanisms.
According to recent research, even executables that are not signed by Microsoft serve purposes that are useful in attacks, such as reconnaissance.
Microsoft Office binaries
The LOLBAS project currently lists over 150 Windows-related binaries, libraries, and scripts that can help attackers execute or download malicious files or bypass lists of approved programs.
Nir Chako, a security researcher at Pentera, a company that provides an automated security validation solution, recently set off to discover new LOLBAS files by looking at the executables in the Microsoft Office suite.
source: Pentera
He tested all of them manually and found three - MsoHtmEd.exe, MSPub.exe, and ProtocolHandler.exe - that could be used as downloaders for third-party files, thus fitting the LOLBAS criteria.
The researchers shared with BleepingComputer a video that shows MsoHtmEd reaching the test HTTP server with a GET request, indicating an attempt to download a test file.
Later in his research, Chako discovered that MsoHtmEd could also be used to execute files.
Animated by this initial success and already knowing the algorithm to find the appropriate files manually, the researcher developed a script to automate the verification process and cover a larger pool of executables faster.
“Using this automated method, we managed to find six more downloaders! All in all, we discovered nine new downloaders! That’s almost a 30% increase in the official LOLBAS downloaders list” - Nir Chako
In a blog post today, he explains the refinements added to the script that enabled listing the binaries in Windows and testing them for download capabilities beyond the intended design.
In total, the Pentera researcher discovered 11 new files with download and execute functionalities that meet the principles of the LOLBAS project.
| LOLBAS | Functionality | LOLBAS projectStatus |
| ProtocolHandler | Download | Accepted |
| MSPub | Download | Accepted |
| MsoHtmEd | Download, Execute | Accepted |
| PresentationHost | Download | Accepted |
| ConfigSecurityPolicy | Download | Accepted |
| InstallUtil | Download | Accepted |
| MSHta | Download | Accepted |
| Outlook | Download | Pull Request |
| MSAccess | Download | Pull Request |
| Sftp | Execute | Pull Request |
| Scp | Execute | Pull Request |
Standing out are MSPub.exe, Outlook.exe and MSAccess.exe, which an attacker or a penetration tester could use to download third-party files, the researcher says.
While MSPub has been confirmed that it can download arbitrary payloads from a remote server, the other two are yet to be added to the LOLBAS list. They have not been included because of a technical error, Chako told BleepingComputer.
“I accidentally submitted 3 Pull requests with the same code that was committed, so I need to submit them again in an orderly manner, so that they can officially be included in the project. The clerical error on my end aside, they will be part of the project.” - Nir Chako
New LOLBAS sources
Apart from Microsoft binaries, Chako also found files from other developers that meet the LOLBAS criteria, one example being the popular PyCharm suite for Python development.
source: Pentera
The PyCharm installation folder contains elevator.exe (signed and verified by JetBrains), which can execute arbitrary files with elevated privileges.
Another file in the PyCharm directory is WinProcessListHelper.exe, which Chako says can serve reconnaissance purposes by enumerating all the processes running on the system.
Another example of a LOLBAS reconnaissance tool he provided BleepingComputer is mkpasswd.exe, part of the Git installation folder, which can offer the entire list of users and their security identifiers (SIDs).
Chako’s journey started with two weeks to formulate a correct approach to discover new LOLBAS files, which resulted in finding three.
After understanding the concept, he spent another week creating the tools to automate the discovery. The effort paid off, as the scripts enabled him to go through “the entire pool of Microsoft binaries” in about five hours.
The reward is even larger, though. Chako told us that the tools he developed can also run on other platforms (e.g. Linux or custom cloud virtual machines), either in their current state or with minor modifications, to explore new LOLBAS territory.
However, knowing about the LOLBAS threats can help defenders define adequate methodologies and mechanisms to prevent or mitigate cyberattacks.
Pentera published a paper with full details on how researchers, red-teamers, and defenders can find new LOLBAS files.
Comments
janhec - 1 month ago
Helped me to realize that using a program with updates through a starter should not just assume the name of the program, but actually check whether it is properly signed.
Should MS not do the same? Programs as MSOHTMED.EXE are for internal use only, so checking MS signature would appear very easy and, imo, quite effective as long as signing keys are kept safe, at least.
Something on the same lines can be done with URL's, I suppose.
And finally, some AV checks on the use of e.g. spawn to evaluate potential dangers.
Could such an approach help in automated identifying of potential LOLBAS'ses?
C-h4ck-0 - 1 month ago
Hello janhec,
I'm Nir Chako from Pentera, the author of the research. Thank you for your interest; I hope you find it intriguing.
I'll address both parts of your comment. Firstly, MsoHtmEd.exe is indeed signed by Microsoft. To tackle LOLBAS, consider assuming that malicious actions could exploit these trusted signed files. Instead of relying solely on signed binaries, focus on alternative concepts. One approach could involve enforcing specific usage patterns. For instance, implementing an application whitelist is good, but enhancing it by defining execution flows using whitelist or even blacklist formats might be more effective (e.g., preventing Microsoft Office binaries from executing via the command line).
Secondly, using the AV as an indicator is an interesting idea, although it might be a bit complex to set up. ProcMon should work well. I appreciate the concept of identifying potential LOLBAS candidates through AV logs. If I understand correctly, you can analyze AV log records to identify processes spawning other processes. This could indicate the presence of execution functionality, prompting the question of how to reach that specific code branch.
Best of luck!