Threat actors’ abuse of legitimate Microsoft tools rose by 51% in the first half of 2024 compared to 2023, according to Sophos’ latest Active Adversary Report.
The researchers observed 187 unique Microsoft Living Off the Land Binaries (LOLbins) used by threat actors in 190 cyber incidents analyzed in H1 2024. Over a third of them (64) appeared just once in the Sophos dataset.
LOLbins are abused-but-legitimate binaries already present on the machine or commonly downloaded from legitimate sources associated with the operating system. They are signed and unlikely to come to the attention of a system administrator when used in seemingly benign ways.
The most common Microsoft LOLbins used by attackers in H1 2024 was remote desktop protocol (RDP), with just under 89% of cases showing some indication of RDP abuse.
This was followed by cmd.exe (76% of cases), PowerShell (71%) and net.exe (58%).
John Shier, Field CTO, Sophos, explained that the use of Microsoft LOLbins is proving an effective method for attackers in gaining stealth on networks.
“While abusing some legitimate tools might raise a few defenders’ eyebrows, and hopefully some alerts, abusing a Microsoft binary often has the opposite effect. Many of these abused Microsoft tools are integral to Windows and have legitimate uses, but it’s up to system administrators to understand how they are used in their environments and what constitutes abuse,” Shier explained.
The report also found a modest 12% increase in the use and variety of artifacts on targeted systems in H1 2024 compared to 2023, from 205 to 230.
Artifacts are third-party packages brought onto the system illegitimately by attackers, such as mimikatz, Cobalt Strike and AnyDesk.
No tags.
