Technology

Hackers are abusing Microsoft tools more than ever before

December 14, 2024

The rise in LOLbins used in attacks this year has been significant
Most common ones used include RDP, PowerShell, cmd.exe, and net.exe
Sophos has shared mitigation tips for anyone affected

The rise in the abuse of Microsoft’s LOLbins (Living Off the Land binaries) in the first half of 2024 has been nothing short of alarming, a new report from Sophos has claimed.

The Sophos 2024 Active Adversary Report, which analyzes cases handled by its Incident Response (IR) and Managed Detection and Response (MDR) teams, says that in H1 of this year, hackers used 187 LOLbins in their attacks, a 51% increase compared to 2023. In 2021, the team observed exactly 100 LOLbins used.

Living Off the Land Binaries are legitimate executables and scripts native to operating systems, often pre-installed, that attackers abuse to perform malicious actions while evading detection. They are trusted tools, such as PowerShell or cmd.exe, making their activity harder to distinguish from normal administrative tasks.

RPD rules the landscape

Sophos says commonly abused LOLbins this year included RDP, PowerShell, cmd.exe, and net.exe, with RDP alone implicated in nearly 89% of cases. This didn’t come as much of a surprise for the researchers, too: “For the most part the names in the figure above are no surprise to regular readers of the Active Adversary Report – RDP rules the landscape, with cmd.exe, PowerShell, and net.exe making their usual strong showing,” they said.

Furthermore, binaries usually used for discovery or enumeration seem to be most prevalent, as of the top 29 LOLbins, 16 served such a purpose. Microsoft’s tools are being increasingly leveraged due to their legitimacy, signed status, and ubiquity within operating systems, it was said.

To mitigate the abuse of Microsoft LOLBins, organizations should adopt a multi-layered security approach, Sophos concludes.

This includes a number of things, from restricting access to commonly abused tools, to monitoring and logging the use of the binaries. Furthermore, they should implement endpoint detection and response solutions (EDR), and disable unused LOLbins. Finally, regularly applying software updates and educating employees on recognizing phishing and social engineering attacks can further reduce risks, they said.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

LEAVE A REPLY Cancel reply

EDITOR PICKS

POPULAR POSTS

QUICK LINKS

ABOUT US

FOLLOW US

Cookie bar