{"id":6516,"date":"2019-07-05T23:05:23","date_gmt":"2019-07-05T23:05:23","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6516"},"modified":"2019-07-05T23:05:25","modified_gmt":"2019-07-05T23:05:25","slug":"bring-your-own-lolbas","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/07\/05\/bring-your-own-lolbas\/","title":{"rendered":"Bring your own lolbas?"},"content":{"rendered":"\n

Recently, I was wondering what is the best term for binaries\/scripts that are signed, can do the Lolbas<\/a> thing, but are not necessarily installed on the system.<\/p>\n\n\n\n

So far I have been covering many of these using a generic term ‘Re-usigned binaries’ (portmanteau of \u2018reuse\u2019 and \u2018signed\u2019). But it’s not catchy enough. Could a better term be ‘Bring your own lolbas\/lolbin’? BYOL? Kinda similar to Bring Your Own Vulnerability (BYOV)? In fact a BYOL is a subset of BYOV.<\/p>\n\n\n\n

I have covered many BYOL examples before<\/a>. And I believe there will be a lot more in the future. After a very fertile research period lolbin fans explored most of the native OS executables, DLLs, scripts. It’s a natural course of events that their eyes will eventually turn to the other stuff.<\/p>\n\n\n\n

The other stuff can be e.g. 7Zip program signed by legitimate companies. @Oddvarmoe<\/a> posted<\/a> about it on Twitter in April:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It triggered my interest and I set on a path to discover more instances of various 7zip components signed by legitimate companies. The results of a very basic research are very promising: there are plenty of these:<\/p>\n\n\n\n