Full Report
Attackers are increasingly hiding in plain sight, using the same tools IT and security teams rely on for daily operations. This blog breaks down common techniques and provides recommendations to defenders.
Analysis Summary
# Tool/Technique: Living Off The Land Binaries (LOLBins)
## Overview
LOLBins are legitimate, built-in tools or software normally present on an operating system that threat actors exploit to perform malicious actions without needing to download or install new, custom malware. This approach allows attackers to blend into normal system activity, evade detection, and maintain persistence.
## Technical Details
- Type: Technique/Category
- Platform: Primarily Windows (implied by tools mentioned like `whoami`, `PsExec`)
- Capabilities: Execution of commands, reconnaissance, credential access, process execution, data staging, network discovery.
- First Seen: N/A (This is an established adversary methodology)
## MITRE ATT&CK Mapping
Since LOLBins are a broad category, the mapping relates to the underlying techniques they enable:
- **TA0005 - Defense Evasion**
- T1218 - Signed Binary Proxy Execution
- **TA0007 - Discovery**
- T1082 - System Information Discovery (e.g., `whoami`)
- T1049 - System Network Connections Discovery (e.g., `nslookup`)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1570 - Lateral Movement (via tools like PsExec)
## Functionality
### Core Capabilities
* **Reconnaissance:** Using standard OS tools like `whoami`, `nltest`, and `nslookup` in rapid succession to map the environment.
* **Execution & Lateral Movement:** Utilizing legitimate administrative tools like `PsExec` to execute processes remotely, including on critical infrastructure like domain controllers.
### Advanced Features
* The primary advanced feature is **stealth** by leveraging pre-approved, trusted executables already present on the victim's system, making signature-based detection difficult.
## Indicators of Compromise
* File Hashes: [Not applicable as it concerns legitimate binaries]
* File Names: `whoami`, `nltest`, `nslookup`, `PsExec` (when used for unauthorized purposes).
* Registry Keys: [Not applicable]
* Network Indicators: [Not applicable, focused on internal command execution]
* Behavioral Indicators: Sequential execution of reconnaissance tools (`whoami`, `nltest`, `nslookup`) occurring rapidly and during unusual hours (e.g., 2:13 a.m.). Unusual use of administrative tools like PsExec against core infrastructure (Domain Controllers).
## Associated Threat Actors
* General threat actors across Ransomware and APT campaigns who leverage trusted administrative toolsets.
## Detection Methods
* Signature-based detection: [Ineffective against the binaries themselves]
* Behavioral detection: **Crucial.** Detecting patterns such as: the specific sequence of system tools run consecutively; execution of these tools by non-IT/non-security users; running during off-hours.
* YARA rules: [Not applicable for the technique itself, though they could be written for fileless payloads that *launch* these tools.]
## Mitigation Strategies
* Asset management: Maintain strict inventories to know which tools should be running where.
* Behavioral baselining: Establish a clear normal baseline for system command execution patterns.
* Continuous monitoring: Configure SIEM/EDR to flag deviations from these baselines, especially concerning the time and sequence of administrative tool usage.
* Threat intel alignment: Monitor emerging trends (like the rise of DonPAPI) to inform logging requirements.
## Related Tools/Techniques
* **DonPAPI:** Open-source tool for remote credential dumping (DPAPI extraction).
* **PsExec:** Legitimate Sysinternals tool often misused for remote execution and lateral movement.
* **Remote Monitoring and Management (RMM) Tools:** Commercial tools like ScreenConnect or AnyDesk, also used post-compromise for persistence.
* **Other Commercial/Legitimate Tools:** HRSword, REMCOS RAT, Cobalt Strike (mentioned as tools often used in conjunction with, or substituting for, direct LOLBin use).
***
# Tool/Technique: DonPAPI
## Overview
DonPAPI is an open-source tool observed in recent incident response engagements that automates the process of credential dumping directly from Windows Data Protection API (DPAPI) storage remotely across multiple host machines. Its purpose is to harvest protected credentials for lateral movement and environment mapping.
## Technical Details
- Type: Tool (Open-Source)
- Platform: Windows
- Capabilities: Automates DPAPI credential dumping, locates credentials protected by DPAPI (Wi-Fi keys, RDP passwords, browser credentials).
- First Seen: N/A (Recent surge in use noted in 2025 engagements)
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.001 - OS Credential Dumping: LSASS Memory (Implied scope of credential access)
- **TA0008 - Lateral Movement**
- T1570 - Lateral Movement (Aims to achieve this by using stolen credentials)
## Functionality
### Core Capabilities
* Locates and retrieves Windows DPAPI-protected credentials across the network.
* Searches for sensitive credential stores (Wi-Fi keys, RDP passwords, browser saved credentials).
### Advanced Features
* Automation capability allows for efficient remote credential harvesting across numerous machines simultaneously.
* Leverages widespread availability on code repositories, making it easy for actors to incorporate.
## Indicators of Compromise
* File Hashes: [Not provided]
* File Names: [Not provided]
* Registry Keys: [Not provided]
* Network Indicators: [Not provided]
* Behavioral Indicators: Increased remote access or file access patterns targeting system credential storage locations or unusual authentication attempts following remote harvesting.
## Associated Threat Actors
* Adversaries observed in Cisco Talos IR engagements involving credential theft.
## Detection Methods
* Behavioral detection: Monitoring for tools interacting with DPAPI-protected data at scale, especially remotely.
* Threat intel alignment: Watching for artifacts related to the tool's presence or execution patterns mentioned in threat intelligence.
## Mitigation Strategies
* Strict access controls to prevent remote tool execution or execution of unvetted open-source tools.
* Strong credential hygiene and monitoring for the theft/exfiltration of protected credential stores.
## Related Tools/Techniques
* Mimikatz (also mentioned for credential theft).
* LOLBins used for initial remote execution to deploy DonPAPI.
***
# Tool/Technique: Mimikatz
## Overview
Mimikatz is a well-known, powerful tool often used by threat actors to steal credentials (passwords, hashes, Kerberos tickets) from various components of the Windows operating system, most famously from LSASS memory.
## Technical Details
- Type: Tool
- Platform: Windows
- Capabilities: Credential extraction, credential dumping, token manipulation.
- First Seen: 2014 (General knowledge, not specified in the article)
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping
- T1003.001 - OS Credential Dumping: LSASS Memory
## Functionality
### Core Capabilities
* Stealing credentials from memory.
### Advanced Features
* Broad capability to extract various forms of authentication material (hashes, cleartext passwords, Kerberos tickets).
## Indicators of Compromise
* File Hashes: [Not provided]
* File Names: [Not provided]
* Registry Keys: [Not applicable]
* Network Indicators: [Not provided]
* Behavioral Indicators: Direct execution on a compromised endpoint targeting credential storage processes.
## Associated Threat Actors
* Popular tool used broadly across Ransomware and APT campaigns.
## Detection Methods
* Behavioral detection: Monitoring for tools interacting with LSASS or security processes.
* Signature-based: Often signatured, though packers/offuscation are common.
## Mitigation Strategies
* Credential Guard or LSA Protection to prevent memory access to LSASS.
* Principle of Least Privilege.
## Related Tools/Techniques
* DonPAPI (similar goal of credential harvesting).
***
# Tool/Technique: PsExec
## Overview
PsExec is a legitimate command-line tool from the Microsoft Sysinternals suite used to execute processes remotely on remote systems. In malicious contexts, it is used for remote execution and lateral movement without installing custom malware.
## Technical Details
- Type: Tool (Legitimate administrative utility often abused)
- Platform: Windows
- Capabilities: Remote process execution, command execution on target systems.
- First Seen: N/A (Part of Sysinternals suite)
## MITRE ATT&CK Mapping
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- **TA0008 - Lateral Movement**
- T1570 - Lateral Movement
## Functionality
### Core Capabilities
* Enables the execution of processes on remote computers using administrative shares.
### Advanced Features
* Integrates seamlessly into Windows environments as it is trusted software.
## Indicators of Compromise
* File Hashes: [Not applicable]
* File Names: `PsExec` (binary name)
* Registry Keys: [Not applicable]
* Network Indicators: Use of SMB/named pipes for communication during remote execution.
* Behavioral Indicators: Execution observed on sensitive servers like Domain Controllers during non-maintenance windows through PsExec.
## Associated Threat Actors
* Broadly used by adversaries across various campaigns for lateral movement.
## Detection Methods
* Behavioral detection: Monitoring PsExec execution context, source, and particularly the target system (e.g., Domain Controller).
* Configuration monitoring: Auditing the creation/deletion of services associated with PsExec execution.
## Mitigation Strategies
* Restrict access to administrative shares (e.g., C$, ADMIN$).
* Use alternative, more auditable remote execution methods if necessary, or strictly limit who can run PsExec.
## Related Tools/Techniques
* RMM Tools (e.g., ScreenConnect, AnyDesk) used for similar remote access purposes.
* Other LOLBins used for execution.