Microsoft recently, published a conspicuous list of
application that are legitimate and yet could be exploited by hackers to bypass
the Windows defender.
These hackers try to slide into the organizations’ networks
and infect them via bypassing the security imparted by the defender.
The hackers usually make use of off-the-land attack tactics
where they use the victim’s operating system features or authentic network
administration tools to compromise the networks.
The major motive of this project was to comprehend the
binaries that were being misused by the attacker.
· LOLBins-
Living Off The Land Binaries
· LOLScripts-
Living Off The Land Scripts
· LOLLibs-
Living Off The Land Libraries
· GTFOBins-
Unix Platform Binaries
The only point of fusing the legitimate app is to stay undetected
in order to bypass the security measures of the network.
The LOTL tools are just a way to be as stealthy as possible as
be as malignant as possible without even being easily caught.
The following applications are in the list that Microsoft published
and recommend to do away with if not in use:
· addinprocess.exe
· addinprocess32.exe
· addinutil.exe
· bash.exe
· bginfo.exe[1]
· cdb.exe
· csi.exe
· dbghost.exe
· dbgsvc.exe
· dnx.exe
· fsi.exe
· fsiAnyCpu.exe
· kd.exe
· ntkd.exe
· lxssmanager.dll
· msbuild.exe[2]
· mshta.exe
· ntsd.exe
· rcsi.exe
· system.management.automation.dll
· windbg.exe
· wmic.exe
Along with the published list Microsoft has also highly
recommended the users to download latest security updates.
In addition it has also provided the “deny file rules” for
all apps.
Lateral movement and defense evasion happen to be the mostly
used ways to exploit the authentic applications.