A Wolf in Sheep\\'s Clothing: Dissecting Living off the Land Techniques

  • Thursday, 11 Jun 2020 10:30AM EDT (11 Jun 2020 14:30 UTC)
  • Speakers: Jake Williams, Tamas Boczan

To fulfill the needs of system administrators and power users, for decades Microsoft has been releasing Windows tools which provide high-level command line interfaces to interact with the system: execute scripts, change operating system and user settings, install programs, download or modify files.

Naturally, attackers have also adopted these easy-to-use, Microsoft-provided tools to both make malware development easier, and to bypass security mitigations.

Because such tools aim to provide the widest possible functionality to legitimate users, they often implement unexpected features. With a bit of creativity, these often-half-forgotten features can be used to download files or achieve code execution. Because the tools are signed by Microsoft, they also provide the attacker with a way to execute malicious code with Microsoft-signed binaries without code injection, defeating application whitelisting. The umbrella term for attack techniques using Microsoft-signed tools in such a way is often referred to as 'living Off the Land ' (LOL), and the binaries used in the technique as LOLBINs.

In this webcast:

  • - Learn what LOLBINs are commonly used in the wild by malware,
  • - See real-world examples of interesting LOL techniques,
  • - Understand how to hunt for attacks using the technique and defend against them.


VMRay Logo - Dark Blue