Hackers are abusing Microsoft tools more than ever
- The increase in the number of LOLbins used in attacks this year has been significant
- The most commonly used are RDP, PowerShell, cmd.exe and net.exe
- Sophos has shared mitigation tips for anyone affected
The increase in misuse of Microsoft’s LOLbins (Living Off the Land binaries) in the first half of 2024 is nothing short of alarming, a new report from Sophos claims.
The Sophos 2024 Active Adversary Report, which analyzes cases handled by the Incident Response (IR) and Managed Detection and Response (MDR) teams, says hackers used 187 LOLbins in their attacks in the first half of this year, an increase of 51% compared to 2023. In 2021, the team observed exactly 100 LOLbins used.
Living Off the Land Binaries are legitimate executables and scripts native to operating systems, often pre-installed, that attackers exploit to perform malicious actions while evading detection. They are familiar tools, such as PowerShell or cmd.exe, making their activities more difficult to distinguish from normal administrative tasks.
RPD rules the landscape
Sophos says the most commonly abused LOLbins this year were RDP, PowerShell, cmd.exe and net.exe, with RDP alone involved in almost 89% of cases. This wasn’t a big surprise to the researchers either: “For the most part, the names in the figure above are no surprise to regular readers of the Active Adversary Report – RDP rules the landscape, with cmd.exe, PowerShell, and net.exe are showing their usual strong results,” they said.
Furthermore, binaries commonly used for discovery or enumeration appear to be the most common; of the top 29 LOLbins, 16 served such a purpose. Microsoft’s tools are increasingly being used because of their legitimacy, signed status and ubiquity within operating systems, it said.
To combat the misuse of Microsoft LOLBins, organizations must adopt a multi-layered security approach, Sophos concludes.
This includes a number of things, from restricting access to commonly abused tools to monitoring and logging the use of the binaries. Additionally, they should implement endpoint detection and response (EDR) solutions and disable unused LOLbins. Finally, applying regular software updates and training employees to recognize phishing and social engineering attacks can further reduce risks, they say.
