Closing LOLBins security loopholes with SIEM

Attackers are exploiting native tools for malicious activities

Living Off The Land Binaries (LOLBins) are tools and applications native to the operating system that attackers can exploit to perform malicious activities.

These utilities are legitimate components of the operating system, designed to perform administrative, maintenance, or operational tasks.

The cyber security implications

Because LOLBins are inherently trusted and often allowed by security software, attackers leverage them to bypass security measures, execute code, maintain persistence, and move laterally within a network without deploying external malicious software. This technique allows attackers to "live off the land," minimising their footprint and attempting to reduce the possibility of detection by the security team.

Certutil.exe

Certutil.exe is an excellent example of a LOLBin. It is a command-line utility that comes with Microsoft Windows and is intended for managing certificates on Windows systems. However, its functionalities, such as downloading, installing, and managing certificates, make it an attractive tool for attackers/red teams. They can misuse Certutil.exe utility application to download malware from a remote server, decode malicious files encoded to evade detection and execute malware while appearing as legitimate system activity.

Where SIEM comes in

In a world where cyber threats are increasingly sophisticated and pervasive, the importance of a robust SIEM system cannot be overstated. They serve as the cornerstone of many organisations’ cybersecurity strategies.

And yet, many struggle on with the sheer amount of data being provided through, mountains of false positives, spiralling costs, reduced budgets and resource.

LogRhythm Axon Data Sheet

A cloud-native SaaS SIEM platform, it’s built for security teams that are stretched thin by overwhelming amounts of data and an ever-evolving threat landscape. It’s optimised for the analyst experience so its intuitive workflow gives them contextual analytics into cybersecurity threats to cut through noise and quickly and secure the environment.

This data sheet will answer a lot of your questions. If you have any more, you can book a Clinic session with one of their specialists.

About LogRhythm Axon

LogRhythm Axon offers a cloud-native SaaS SIEM platform. It blends the advantages of both SaaS and cloud-native approaches, freeing security teams from infrastructure management to focus on threat detection and response.

Related Stories
🎙️ InTheCloud Podcast Episode 2
🎙️ InTheCloud Podcast Episode 2

LogRhythm Axon's Guy Grieve untangles cloud-native SIEM.

InTheCloud Podcast Episode 1
InTheCloud Podcast Episode 1

LogRhythm Axon's Kevin Eley goes "off the record"

Transforming security for the modern digital landscape
SaaS and cloud-native
SaaS and cloud-native

Definitions and best practices

Why switch SIEM provider?
Why switch SIEM provider?

5 good reasons to make the shift

On-prem vs cloud native - what's your best SIEM?
On-prem vs cloud native - what's your best SIEM?

See which SIEM is right for you with this handy comparison table.

Getting in the security flow with LogRhythm Axon
Getting in the security flow with LogRhythm Axon

How to improve security analyst and SOC team experience.

5-day free trial of LogRhythm Axon
5-day free trial of LogRhythm Axon

Try out the leading cloud-native SIEM

Switching to cloud-native SIEM?
Switching to cloud-native SIEM?

10 factors that will make or break your SecOps success in the cloud.

It's time for LogWars!
It's time for LogWars!

Put your SIEM threat hunting skills to the test!

RhythmWorld Europe 2024
RhythmWorld Europe 2024

THE cybersecurity summit!

The unseen threats to critical data
The unseen threats to critical data

Bring them to the surface with LogRhythm Axon

Share this story