ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Living off the Land

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Living off the Land

NamesLiving off the Land
LOLBins
LOLBAS
CategoryTools
Description(Talos) Attackers' trends tend to come and go. But one popular technique we're seeing at this time is the use of living-off-the-land binaries — or 'LoLBins'. LoLBins are used by different actors combined with fileless malware and legitimate cloud services to improve chances of staying undetected within an organisation, usually during post-exploitation attack phases.

Living-off-the-land tactics mean that attackers are using pre-installed tools to carry out their work. This makes it more difficult for defenders to detect attacks and researchers to identify the attackers behind the campaign. In the attacks we're seeing, there are binaries supplied by the victim's operating system that are normally used for legitimate purposes, but in these cases, are being abused by the attackers.

(LOLBAS Project) The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

A LOLBin/Lib/Script must:

• Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
• Have extra 'unexpected' functionality. It is not interesting to document intended use cases.
o Exceptions are application whitelisting bypasses
• Have functionality that would be useful to an APT or red team

Interesting functionality can include:

• Executing code
o Arbitrary code execution
o Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
• Compiling code
• File operations
o Downloading
o Upload
o Copy
• Persistence
o Pass-through persistence utilizing existing LOLBin
o Persistence (e.g. hide data in ADS, execute at logon)
• UAC bypass
• Credential theft
• Dumping process memory
• Surveillance (e.g. keylogger, network trace)
• Log evasion/modification
• DLL side-loading/hijacking without being relocated elsewhere in the filesystem.
Information<https://github.com/LOLBAS-Project/LOLBAS>
<https://lolbas-project.github.io/>
<https://blog.talosintelligence.com/2019/11/hunting-for-lolbins.html>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:lolbin>

Last change to this tool card: 20 April 2020

Download this tool card in JSON format

All groups using tool Living off the Land

ChangedNameCountryObserved

APT groups

 APT 20, Violin PandaChina2014-2017 
 APT 29, Cozy Bear, The DukesRussia2008-2020X
 APT 33, Elfin, MagnalliumIran2013-Nov 2019 
 APT 41China2012-Aug 2020 HOTX
 AVIVOREChina2015 
 Berserk Bear, Dragonfly 2.0Russia2015-May 2017 
 BlackTech, Circuit Panda, Radio PandaChina2010-2020 
 CalypsoChina2016 
 Chafer, APT 39Iran2014-2018 
 Comment Crew, APT 1China2006-May 2018X
 El Machete[Unknown]2010-Jun 2020 
 Emissary Panda, APT 27, LuckyMouse, Bronze UnionChina2010-Mar 2020 
 FIN6, Skeleton Spider[Unknown]2015-Mar 2020 
 Gallmaker[Unknown]2017 
 Gangnam Industrial Style[Unknown]2019 
 Goblin Panda, Cycldek, ConimesChina2013-2018 
 Gorgon GroupPakistan2017-Jul 2020 
 Honeybee[Unknown]2017 
 Ke3chang, Vixen Panda, APT 15, GREF, Playful DragonChina2010-May 2020 
 Kimsuky, Velvet ChollimaNorth Korea2013-Mar 2020X
 Leviathan, APT 40, TEMP.PeriscopeChina2013-Jan 2020 
 Lotus Blossom, Spring Dragon, ThripChina2012-Jun 2018 
 MuddyWater, Seedworm, TEMP.Zagros, Static KittenIran2017-Oct 2020 HOTX
 Naikon, Lotus PandaChina2012-2017 
 OilRig, APT 34, Helix Kitten, ChryseneIran2014-Apr 2020X
 Orangeworm[Unknown]2015-Jan 2020 
 PlatinumChina2009-Nov 2019 
 Silence, Contract Crew[Unknown]2016-Jan 2020 
 Sofacy, APT 28, Fancy Bear, SednitRussia2004-Aug 2020 HOTX
 Stone Panda, APT 10, menuPassChina2006-Jul 2020X
 TA505, Graceful Spider, Gold EvergreenRussia2006-Oct 2020 HOTX
 TeleBotsRussia2015-Oct 2020 HOTX
 Temper Panda, admin@338China2014 
 Tonto Team, HartBeat, Karma PandaChina2009-Dec 2019 
 Turbine Panda, APT 26, Shell Crew, WebMasters, KungFu KittensChina2010-Oct 2018X
 Turla, Waterbug, Venomous BearRussia1996-Jun 2020 
 Whitefly, Mofang[Unknown]2012-Jul 2018 

Other groups

 TA554[Unknown]2017 

38 groups listed (37 APT, 1 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key