LOLBin is a technique that hackers use to carry out attacks on a system by using programs (executables or binaries) already installed on that system. These programs are not malicious, so they’re trusted by the system’s administrators or advanced users.
Hackers perform malicious actions without raising suspicion by taking advantage of these trusted programs. This allows them to bypass security measures designed to catch and stop malicious software — because hackers don’t need to inject additional software or tools into the victim’s system.
How LOLBin techniques work
- Evasion of security controls. LOLBin techniques can bypass security solutions that primarily focus on detecting known malicious files or behaviors. This makes it difficult for security tools to effectively identify and block these attacks.
- The exploitation of trusted privileges. LOLBins often leverage the trusted privileges associated with legitimate binaries. By misusing these programs, attackers can gain unauthorized access, escalate their privileges, or execute malicious commands with elevated rights, potentially causing significant damage to the system or network.
- Post-exploitation activities. LOLBin abuse enables attackers to perform various post-exploitation activities, such as reconnaissance, lateral movement within a network, data exfiltration, or the deployment of additional malware.
- Difficulty in detection and attribution. Identifying malicious behavior within a trusted binary requires advanced security monitoring and analysis techniques. Determining the attacker’s identity can be more complex due to the lack of specific tools or malware signatures.