Closing LOLBins security loopholes with SIEM

Living Off The Land Binaries (LOLBins) are tools and applications native to the operating system that attackers can exploit to perform malicious activities.

These utilities are legitimate components of the operating system, designed to perform administrative, maintenance, or operational tasks.

The cyber security implications

Because LOLBins are inherently trusted and often allowed by security software, attackers leverage them to bypass security measures, execute code, maintain persistence, and move laterally within a network without deploying external malicious software. This technique allows attackers to "live off the land," minimising their footprint and attempting to reduce the possibility of detection by the security team.

Certutil.exe

Certutil.exe is an excellent example of a LOLBin. It is a command-line utility that comes with Microsoft Windows and is intended for managing certificates on Windows systems. However, its functionalities, such as downloading, installing, and managing certificates, make it an attractive tool for attackers/red teams. They can misuse Certutil.exe utility application to download malware from a remote server, decode malicious files encoded to evade detection and execute malware while appearing as legitimate system activity.

Where SIEM comes in

In a world where cyber threats are increasingly sophisticated and pervasive, the importance of a robust SIEM system cannot be overstated. They serve as the cornerstone of many organisations’ cybersecurity strategies.

And yet, many struggle on with the sheer amount of data being provided through, mountains of false positives, spiralling costs, reduced budgets and resource.