Full Report
Sophos found observed a significant rise in Microsoft LOLbins abused by attackers in H1 2024 compared to 2023
Analysis Summary
# Tool/Technique: Microsoft Living Off the Land Binaries (LOLbins) Abuse
## Overview
Microsoft Living Off the Land Binaries (LOLbins) are legitimate, signed Microsoft tools already present on operating systems or downloaded from trusted sources. Threat actors abuse these tools because they are often overlooked by security defenses when used in seemingly benign ways, aiding in stealthy operations. The use of these tools saw a 51% rise in H1 2024 compared to 2023, with 187 unique binaries observed across 190 incidents.
## Technical Details
- Type: Technique (Tool Abuse)
- Platform: Windows
- Capabilities: Execution, Defense Evasion, Credential Access (depending on the specific LOLbin used)
- First Seen: Ongoing/Continual; observed increase in H1 2024.
## MITRE ATT&CK Mapping
Since this covers a *category* of tools, common mappings include execution and defense evasion:
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- T1059.003 - Windows Command Shell
- T1218 - Signed Binary Proxy Execution (General LOLbin usage)
- T1021 - Remote Services (Specific to RDP)
## Functionality
### Core Capabilities
The core "capability" is leveraging existing system utilities for malicious purposes:
- **Execution:** Running arbitrary commands via `cmd.exe` or `PowerShell`.
- **Remote Access:** Utilizing legitimate Remote Desktop Protocol (RDP) for initial access or lateral movement.
- **Network/System Configuration:** Using tools like `net.exe` to manage network connections or user accounts.
### Advanced Features
The abuse gains effectiveness through stealth and inherent trust:
- **Stealth:** Since the binaries are signed and legitimate, simple execution monitoring often fails to flag them as malicious.
- **Persistence/Evasion:** Used to maintain command and control or execute subsequent stages without introducing new anomalous executables.
## Indicators of Compromise
As these are legitimate executables, indicators focus on anomalous usage patterns:
- File Hashes: N/A (These are signed Microsoft files, hashes are system-dependent).
- File Names: `rdpcli.exe` (implied by RDP abuse), `cmd.exe`, `powershell.exe`, `net.exe`.
- Registry Keys: N/A (Focus is on execution behavior).
- Network Indicators: Abuse of RDP connections that exhibit anomalous source/destination behavior.
- Behavioral Indicators: Unsigned scripts executed via PowerShell, execution of `cmd.exe` spawned from unusual parent processes (e.g., MS Office applications), or excessive RDP activity from unexpected sources.
## Associated Threat Actors
The report does not attribute the general trend of LOLbin abuse to specific named groups, but they are utilized broadly by threat actors targeting stealth.
## Detection Methods
- Signature-based detection: Ineffective against the binaries themselves.
- Behavioral detection: Critical focus on process lineage, command-line arguments, frequency, and context of execution. Monitoring for PowerShell running encoded commands or `cmd.exe` performing suspicious administrative tasks.
- YARA rules: Less suitable for core LOLbins; better suited for detecting artifacts *dropped* by LOLbin execution or specific anomalous command patterns.
## Mitigation Strategies
- Prevention measures: Implementing application control solutions like Windows Defender Application Control (WDAC) or AppLocker to restrict execution context or paths for non-essential binaries.
- Hardening recommendations: Rigorously auditing and locking down Remote Desktop Protocol (RDP) access; restricting PowerShell execution policies; ensuring least privilege to limit the scope of what an attacker can achieve via abused binaries. Understanding and baselining "normal" usage of these tools in the environment.
## Related Tools/Techniques
The report associated the following "artifacts" (third-party tools often deployed *after* initial LOLbin foothold, or alongside them):
- mimikatz (Credential Access)
- Cobalt Strike (Command and Control/Execution)
- AnyDesk (Remote Access)
---
# Tool/Technique: LockBit (Ransomware)
## Overview
LockBit is the most dominant Ransomware-as-a-Service (RaaS) group tracked in the first half of 2024, responsible for approximately 21% of tracked ransomware incidents, despite high-profile law enforcement actions (Operation Cronos).
## Technical Details
- Type: Malware Family (Ransomware)
- Platform: Primarily Windows, though variants can target other OSs.
- Capabilities: Encryption, extortion, data exfiltration (double/triple extortion).
- First Seen: Initial variants emerged prior to 2022, continually updated.
## MITRE ATT&CK Mapping
(General Ransomware Tactics)
- T1486 - Data Encrypted for Impact
- T1565.001 - Data from Organization Sensitive: Exfiltration (Double Extortion component)
## Functionality
### Core Capabilities
- Mass encryption of accessible files on victim networks.
- Deployment of ransom notes demanding payment.
### Advanced Features
- RaaS model: Allowing affiliates to conduct attacks while the core LockBit developers maintain the infrastructure.
- Resilience: Demonstrated persistence in operations even after major takedown attempts (like Operation Cronos).
## Indicators of Compromise
(Specific IOCs are not provided in the text, only general group presence)
- File Hashes: N/A (Specific IOCs change frequently per campaign).
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Ransom note file creation, volume shadow copy deletions (`vssadmin delete shadows`), discovery commands.
## Associated Threat Actors
- LockBit group affiliates (Developers and operators of the RaaS infrastructure).
## Detection Methods
- Signature-based detection: Effective against known payload hashes.
- Behavioral detection: Detecting unusual file renaming patterns, high rates of file access/encryption, and shadow copy destruction.
## Mitigation Strategies
- Prevention measures: Robust backup strategy (immutable or offline), network segmentation, and advanced endpoint detection and response (EDR).
- Hardening recommendations: Regular patching, strict control over initial access vectors (Phishing/RDP), and monitoring for credential theft tools (often preceding ransomware deployment).
## Related Tools/Techniques
This group is often observed deploying other tools like Cobalt Strike or utilizing the LOLbins discussed previously during their operational cycles.
---
# Tool/Technique: Akira (Ransomware)
## Overview
Akira is the second most prominent ransomware strain tracked in H1 2024, accounting for 9% of incidents analyzed.
## Technical Details
- Type: Malware Family (Ransomware)
- Platform: Primarily Windows.
- Capabilities: Encryption and extortion.
- First Seen: Active since early 2023, increasing in visibility.
## MITRE ATT&CK Mapping
- T1486 - Data Encrypted for Impact
## Functionality
Core ransomware impact focused on encryption and demanding ransom.
## Indicators of Compromise
No specifics provided in the text.
## Associated Threat Actors
- Akira Ransomware Operators.
## Detection Methods
Standard ransomware detection techniques focusing on rapid file modification and encryption patterns.
## Mitigation Strategies
Standard ransomware mitigation focused on backup and network security.
## Related Tools/Techniques
N/A
---
# Tool/Technique: Faust (Ransomware Variant)
## Overview
Faust is the third most common ransomware type observed, responsible for 7.5% of incidents in H1 2024. The text notes it is a "new variant" potentially related to Phobos.
## Technical Details
- Type: Malware Family (Ransomware Variant)
- Platform: Not specified, likely Windows.
- Capabilities: Encryption and extortion.
- First Seen: Relative newcomer/variant in H1 2024.
## MITRE ATT&CK Mapping
- T1486 - Data Encrypted for Impact
## Functionality
Core ransomware impact focused on encryption and demanding ransom.
## Indicators of Compromise
No specifics provided in the text.
## Associated Threat Actors
- Operators utilizing the Faust/Phobos variant.
## Detection Methods
Standard ransomware detection techniques.
## Mitigation Strategies
Standard ransomware mitigation focused on backup and network security.
## Related Tools/Techniques
Potentially related to Phobos ransomware.
---
# Tool/Technique: Qilin (Ransomware)
## Overview
Qilin is the fourth most common ransomware strain identified in H1 2024, responsible for 6% of tracked incidents.
## Technical Details
- Type: Malware Family (Ransomware)
- Platform: Not specified, likely Windows.
- Capabilities: Encryption and extortion.
- First Seen: Active in this period.
## MITRE ATT&CK Mapping
- T1486 - Data Encrypted for Impact
## Functionality
Core ransomware impact focused on encryption and demanding ransom.
## Indicators of Compromise
No specifics provided in the text.
## Associated Threat Actors
- Qilin Operators.
## Detection Methods
Standard ransomware detection techniques.
## Mitigation Strategies
Standard ransomware mitigation focused on backup and network security.
## Related Tools/Techniques
N/A
---
# Artifact: Cobalt Strike (Third-Party Package)
## Overview
Cobalt Strike is a legitimate penetration testing tool often co-opted by threat actors as an artifact dropped onto targeted systems, frequently as part of post-exploitation activities.
## Technical Details
- Type: Attack Tool/Framework (Post-Exploitation C2)
- Platform: Cross-platform (Payload execution dependent on target OS).
- Capabilities: Command and Control (C2), execution, lateral movement, payload delivery.
- First Seen: Widely used since its initial release.
## MITRE ATT&CK Mapping
- T1071 - Application Layer Protocol (for C2 communication)
- T1573 - Encrypted Channel (for C2)
## Functionality
### Core Capabilities
- Establishing resilient Command and Control sessions.
- Executing staged payloads.
### Advanced Features
- Flexible communication via malleable C2 profiles.
- In-memory execution to evade disk-based detection.
## Indicators of Compromise
File Hashes: N/A (Specific beacon hashes change constantly).
File Names: Varies greatly; often known beacon names or shellcode artifacts.
Network Indicators: Communications often directed toward known C2 infrastructure, though often obfuscated or randomized.
## Associated Threat Actors
Widely used across numerous sophisticated threat groups.
## Detection Methods
- Signature-based detection: Effective against known malware signatures derived from Cobalt Strike payloads.
- Behavioral detection: Detecting characteristic beaconing patterns, named pipe usage, or reflective DLL injection.
## Mitigation Strategies
- Prevention measures: Restricting outbound traffic to known hostile IPs/domains; using advanced EDR capable of detecting in-memory injection techniques.
- Hardening recommendations: Network egress filtering; deep packet inspection for C2 protocol anomalies.
## Related Tools/Techniques
Often deployed alongside tools like Mimikatz (credential access) post-initial network compromise.