{"id":6867,"date":"2019-11-01T00:47:01","date_gmt":"2019-11-01T00:47:01","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6867"},"modified":"2019-11-01T00:47:02","modified_gmt":"2019-11-01T00:47:02","slug":"quo-vadis-lolbin","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/11\/01\/quo-vadis-lolbin\/","title":{"rendered":"Quo Vadis, Lolbin"},"content":{"rendered":"\n<p>I am sometimes wondering what Lolbin really means. Most of us assume that a binary or script listed in this context is always &#8216;trusted&#8217;. And the trust &#8216;bit&#8217; typically comes from a very reputable source &#8211; the binary\/script is signed and it means that it will run unchallenged in most of the &#8216;negative&#8217; scenarios (EDR, AppLocker, etc.).<\/p>\n\n\n\n<p>However&#8230;<\/p>\n\n\n\n<p>Over last 30 years there were many reputable software releases out there that were not signed, and they still rely on on\/build upon this silly concept of &#8216;trust&#8217;. And the &#8216;trust&#8217; is not only built around the concept of a authenticode signature, but often also a side-effect of a simple act of &#8216;belonging&#8217;.<\/p>\n\n\n\n<p>What do I mean by this? <\/p>\n\n\n\n<p>If it is a binary with a hash that belongs to a &#8216;clean&#8217; category (nowadays it&#8217;s typically checked via NIST, MSDN and other &#8216;clean&#8217; hash sets) then it&#8217;s most likely good&#8230;.<\/p>\n\n\n\n<p>This opens a lot of opportunities that could have been overlooked otherwise: i.e. unsigned, good files that are NOT detected by any AV\/AI\/ML engine, but remain at large could be dropped\/re-purposed to deliver a &#8216;bypass &lt;insert the engine>&#8217; blow. There are actually many of them. <\/p>\n\n\n\n<p>Time for an example&#8230;<\/p>\n\n\n\n<p>While installing an old version of MS Access 2003 on my VM Guest test system I noticed that one of binaries used by the setup program is called <a href=\"https:\/\/www.virustotal.com\/gui\/file\/0e73eb859f59b29535d29e5237fe8afe694293183f5e37bbe5e7794bc4fe5f9b\/detection\">SHELEXEC.EXE<\/a>. The only function of this small program is to execute a command passed to it via a command line &#8211; and the command is executed via a call to a <em>ShellExecutA<\/em> API:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" loading=\"lazy\" width=\"694\" height=\"71\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/11\/shellexec1.png\" alt=\"\" class=\"wp-image-6868\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/11\/shellexec1.png 694w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2019\/11\/shellexec1-300x31.png 300w\" sizes=\"(max-width: 694px) 100vw, 694px\" \/><\/figure>\n\n\n\n<p>This is a Lolbin functionality <em><a href=\"https:\/\/en.wikipedia.org\/wiki\/Nascent_state_(chemistry)\">in statu nascendi<\/a><\/em>. <\/p>\n\n\n\n<p>And while this may look like a non-issue, there are at least two items we should highlight:<\/p>\n\n\n\n<ul><li>Any binary (whether signed or unsigned) can be a LolBin<\/li><li>Even if program execution is limited to &#8216;signed only&#8217;, or &#8216;reputation=good&#8217; binaries, there is a high chance that some of the old-school binaries deemed to be &#8216;good&#8217; for many years can be abused to run something bad; i.e. reputation is a double-edged sword; just because most of 1000000 systems have shown this binary to be used for good purposes over last 20 years doesn&#8217;t mean that it cannot be used for nefarious purposes; aka the &#8216;maliciousness&#8217; of a file has a completely different meaning today as opposed to say 20 years ago (aka context matters)<\/li><\/ul>\n\n\n\n<p>The bottom line is: many &#8216;clean&#8217;, &#8216;well-known-for-years&#8217; executables can help to run other executables and code whether some of them are signed or not. This is still a very under explored area&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I am sometimes wondering what Lolbin really means. Most of us assume that a binary or script listed in this context is always &#8216;trusted&#8217;. And the trust &#8216;bit&#8217; typically comes from a very reputable source &#8211; the binary\/script is signed &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2019\/11\/01\/quo-vadis-lolbin\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6867"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=6867"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6867\/revisions"}],"predecessor-version":[{"id":6869,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/6867\/revisions\/6869"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=6867"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=6867"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=6867"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}