Living Off the Land Binaries and Scripts(github.com)
github.com
Living Off the Land Binaries and Scripts
https://github.com/LOLBAS-Project/LOLBAS/blob/master/README.md
8 comments
LOLBAS: Living Off the Land Binaries, Scripts and Libraries - https://news.ycombinator.com/item?id=36629505 - July 2023 (29 comments)
LOLBAS a great project, and is really useful when you're on systems and can't easily import new binaries.
It can also provide a good list of binaries to blacklist (or at least monitor and alert on), as long as you do it with care. For instance, how often is something like "whoami" or "certutil" or "wmic" ever legitimately run on most servers?
It can also provide a good list of binaries to blacklist (or at least monitor and alert on), as long as you do it with care. For instance, how often is something like "whoami" or "certutil" or "wmic" ever legitimately run on most servers?
I don’t quite get the name “living off the land” even after reading the repo and hearing about who named and the poll.
How is reusing something beyond its intended purpose living off the land?
How is reusing something beyond its intended purpose living off the land?
"Living off the land" is to accomplish tasks from the environment in which you find yourself, minimizing any use of external things.
You've crash landed in a forest with a hatchet. How do you survive without a phone and just the clothes on your back?
You're on an unfamiliar machine. What can you do without reaching out to download convenient tools?
In both instances, creativity is needed to live off the land. There are constraints that prevent solutions expedient in time or space. So you may need to expend both to achieve the same end: writing scripts to bootstrap up, and leveraging vulnerabilities to accomplish workarounds.
You've crash landed in a forest with a hatchet. How do you survive without a phone and just the clothes on your back?
You're on an unfamiliar machine. What can you do without reaching out to download convenient tools?
In both instances, creativity is needed to live off the land. There are constraints that prevent solutions expedient in time or space. So you may need to expend both to achieve the same end: writing scripts to bootstrap up, and leveraging vulnerabilities to accomplish workarounds.
This kind of makes sense, but then wouldn’t you be interested in designed functions too.
If I crash land, I definitely want to know edible mushrooms vs poisonous. But if there’s a cooler full of supplies with a sign that says “help yourself” that’s useful too.
If I crash land, I definitely want to know edible mushrooms vs poisonous. But if there’s a cooler full of supplies with a sign that says “help yourself” that’s useful too.
I've only heard of LOLBins in the context of ≈malware / exploits / pen-testing, where they are used trying to circumvent anomaly / intrusion detection systems by doing what you need with already existing or approved binaries.
So in the same way as the initial exploit probably could be called "reusing something beyond its intended purpose" LOLBins can help you continue, to get a persistent reverse shell or exfiltrate some data.
(But I guess they theoretically could be used in some Apollo 13-esque scene, trying to get the backup's off some really broken system or something)
So in the same way as the initial exploit probably could be called "reusing something beyond its intended purpose" LOLBins can help you continue, to get a persistent reverse shell or exfiltrate some data.
(But I guess they theoretically could be used in some Apollo 13-esque scene, trying to get the backup's off some really broken system or something)
If you're living off the land IRL, you forage and take what nature gives you, and it's important to recognize safe plants, fungi, etc. you can use because you can't go shopping.
In cybersecurity, the concept is that it's easier to go undetected or just get things done if you're a hacker if you can use apps that are already installed on the system versus installing new systems, which will often raise red flags or be locked down. So you learning to see if target system already has GroupChatApp installed and if so, it lets you escalate permissions in a way that otherwise you couldn't do.
In cybersecurity, the concept is that it's easier to go undetected or just get things done if you're a hacker if you can use apps that are already installed on the system versus installing new systems, which will often raise red flags or be locked down. So you learning to see if target system already has GroupChatApp installed and if so, it lets you escalate permissions in a way that otherwise you couldn't do.
those binaries allow for exploitation, and they are already present on the target system, so you don't need to infiltrate any additional tools.
Usually they are also signed and do not get detected by AV tools.
Usually they are also signed and do not get detected by AV tools.