Pentera Labs explored ways to uncover new LOLBAS (Living-Off-the-Land Binaries and Scripts), tools attackers use to evade detection by abusing legitimate system binaries. Using manual testing followed by automation, researchers identified 12 new LOLBAS in four weeks, including nine downloaders and three executors. Their automated method ran binaries with simple commands, monitored HTTP GET requests for downloads, and traced process trees for executors. They also proposed static analysis with IDApython and AI tools to scale discovery further. The study highlights how attackers expand LOLBAS arsenals and urges defenders to proactively anticipate misuse.

Join for free to read