JIZÔ NDR AND LOLBINS

THE WONDERFUL WORLD OF LOLBINS

In the vast and complex universe of cybersecurity, threats are constantly evolving, pushing professionals to innovate and adapt their defense methods.

Among these threats, LOLBins (Living Off The Land Binaries) represent a particular challenge.

These legitimate executable files, present by default on operating systems, can be hijacked by attackers to conduct malicious activities without downloading additional malware, making their detection particularly difficult for traditional solutions.

This ability to "live off the land" by using resources already present on the target system makes LOLBins a valuable tool for cybercriminals, allowing them to evade detection by traditional antivirus software and operate under the radar.

Faced with this threat, Jizô NDR, one of the most widely adopted network threat detection and response (Network Detection and Response) systems on the market, plays a crucial role.

By monitoring network traffic in real time and applying behavioral analysis and artificial intelligence techniques, Jizô can identify suspicious activities that could indicate the use of LOLBins by an attacker.

This ability to detect abnormal behavior in real time is essential to counter sophisticated attacks that use discreet methods to compromise enterprise networks.

This blog article aims to explore in depth what LOLBins are, why they constitute a significant threat, and how NDR systems can detect them in real time.

Through detailed examples, we will examine the challenges posed by LOLBins and how Jizô NDR adapts to offer an additional layer of security in the fight against advanced cyberattacks.

By better understanding these aspects, cybersecurity professionals can strengthen their defenses and protect their networks against increasingly ingenious attack vectors.

UNDERSTANDING LOLBINS

LOLBins are tools or executable files that are an integral part of operating systems or commonly installed applications.

Initially designed for legitimate tasks, these files can be exploited by attackers to execute malicious commands, facilitate persistence, escalate privileges, or exfiltrate data — all without triggering the suspicion of traditional security solutions.

DETAILED DEFINITION OF LOLBINS

A LOLBin can be anything from a command interpreter like PowerShell or Bash, to system utilities like Task Scheduler (schtasks.exe) or Windows Management Instrumentation (WMIC).

Their legitimacy and near-universal presence on operating systems makes them attractive attack vectors; they allow threat actors to blend into the normal environment of the target machine, making malicious activity indistinguishable from routine system operations.

EXAMPLES OF COMMONLY USED LOLBINS

• PowerShell: frequently used to download and execute scripts or commands from the internet, facilitating both remote code execution and data exfiltration.
• CertUtil: a certificate management utility that can be hijacked to download malicious files under the guise of downloading certificates.
• Regsvr32: allows the execution of malicious scripts or code through DLL registration without triggering security mechanisms.

WHY LOLBINS ARE DIFFICULT TO DETECT

The main difficulty in detecting LOLBins lies in their legitimacy and their necessity for normal system operation.

Security solutions must distinguish between legitimate and malicious use of these tools, which requires advanced behavioral analysis and understanding of the execution context.

Attackers exploit this complexity by slightly modifying their attack methods to avoid detection, making the task even more arduous.

The sophistication of attacks using LOLBins requires security solutions to be constantly updated and adapted to recognize new exploitation techniques.

Effective detection therefore requires a combination of network traffic monitoring, behavioral analysis, and sometimes artificial intelligence to identify attack patterns.

THE CRUCIAL ROLE OF JIZÔ NDR IN LOLBIN DETECTION

NDR systems are an essential component of information security strategy due to their ability to monitor network traffic in real time and detect suspicious behaviors.

JIZÔ NDR, THE CYBER THREAT OBSERVABILITY PLATFORM FOR THE NETWORK

Jizô, the French NDR qualified by ANSSI, continuously analyzes network traffic to identify abnormal or malicious patterns.

By leveraging advanced techniques such as behavioral analysis, threat signatures, and sometimes artificial intelligence, Jizô can detect a wide range of threats, including zero-day attacks and suspicious activities that would go unnoticed by other types of security solutions.

REAL-TIME DETECTION

The ability to analyze and react to network traffic in real time distinguishes NDR from other security tools.

This feature is crucial for LOLBin detection, as it allows Jizô to capture and analyze suspicious commands and activities at the moment they occur, before the damage becomes irreversible.

Real-time detection also enables rapid intervention, minimizing the potential impact of an attack.

NDR ADVANTAGES AGAINST LOLBINS

One of the main advantages of NDR solutions in combating the malicious use of LOLBins is their ability to detect behavioral anomalies in network traffic.

Unlike solutions based solely on signatures, which require prior knowledge of a threat to detect it, NDR systems can identify suspicious activities even if the attack method has never been seen before.

This approach is particularly effective against LOLBins, whose usage can vary greatly from one attack to another.

LOLBIN DETECTION STRATEGIES WITH JIZÔ NDR

Effective detection of LOLBins by NDR systems requires a multidimensional approach, leveraging various analysis techniques.

These strategies include behavioral analysis, network traffic analysis, and the integration of artificial intelligence to refine detection and threat response.

BEHAVIORAL ANALYSIS

One of the most effective methods for detecting malicious use of LOLBins is behavioral analysis. This approach focuses on the identification of abnormal or suspicious behaviors within the network, which could indicate the exploitation of LOLBins by an attacker.

By analyzing usage patterns of systems and applications, NDR systems can identify deviations from the norm, such as unusual execution of PowerShell scripts toward other machines, or the use of system commands generating network traffic for activities that do not match typical usage profiles.

NETWORK TRAFFIC ANALYSIS

Network traffic analysis plays a crucial role in LOLBin detection, allowing Jizô to monitor and analyze traffic in real time to identify early warning signs of an attack.

For example, a sudden increase in network traffic toward unusual destinations or the transmission of large volumes of data at atypical hours may indicate malicious activity.

Jizô uses this information to alert security teams to potential incidents.

ARTIFICIAL INTELLIGENCE INTEGRATION

The integration of artificial intelligence and machine learning in Jizô considerably improves its ability to detect malicious use of LOLBins.

By learning from normal traffic and behavior patterns, AI can identify anomalies with improved accuracy, thus reducing the number of false positives and enabling a faster response to real threats.

This ability to adapt and learn from new threats over time is essential for combating the constantly evolving tactics of attackers.

PRACTICAL DETECTION EXAMPLES WITH NDR

To illustrate the effectiveness of these strategies, let's consider the case where an NDR detects abnormal use of certutil, a legitimate certificate management tool, increasingly used to download malicious components.

In an attack scenario, a cybercriminal could use certutil to download malicious software from a server controlled by the attacker. The process could be initiated by the execution of a malicious script or a remote command, following an initial system compromise.

Example command:

This command uses certutil to download a file (malware.exe) from a remote server and save it locally on the target system. The -f option forces the download even if the file already exists, and the -urlcache and -split options are used to manipulate the cache.

By identifying a specific command that does not correspond to the usual use of this tool in the enterprise context, Jizô can alert administrators to the possible presence of a threat.

Another example could be the detection of abnormal network communication initiated by a PowerShell script, suggesting a data exfiltration attempt.

In an attack scenario, an attacker who has compromised a system could use a PowerShell script to collect sensitive data and send it to an external server controlled by the attacker. This exfiltration could take several forms, such as file transfer or data streaming.

Example PowerShell script:

This script reads the contents of a sensitive data file and uses Invoke-RestMethod to send this data to an external server via an HTTP POST request. The use of legitimate commands for malicious activities makes detection difficult without in-depth behavioral analysis.

CHALLENGES AND (RARE) LIMITATIONS

While NDR solutions play a crucial role in detecting malicious behaviors such as LOLBins or other sophisticated threats, it is clear that certain challenges and limitations remain.

The detection of legitimate behaviors as malicious — more commonly called false positives — is an important one. It is indeed one of the main challenges for NDR systems. Certain NDR solutions may incorrectly identify normal system activities as suspicious. This is why Jizô is continuously updated, both in its detection capabilities and in its AI algorithms.

But the adaptability of attackers, whose means and imagination are limitless, must not be overlooked. Cybercriminals continue to innovate, finding new ways to exploit LOLBins that can go undetected by current detection systems. The ability of attackers to quickly adapt to security countermeasures puts constant pressure on NDR systems to evolve.

TOWARD MORE EFFECTIVE DETECTION

As the threat landscape is constantly evolving, NDR systems must continuously adapt to recognize and respond to new techniques, such as those involving LOLBins.

This constant need for adaptation is the perfect illustration of what our teams do for Jizô by continuously integrating new artificial intelligence and machine learning algorithms, allowing it to learn from past attacks and adjust its detection models for future threats.

Jizô adopts a multi-layered approach to threat detection, combining behavioral analysis, traffic analysis, and artificial intelligence.