Attack, Deconstructed: Living off the Land

What is a “Living off the Land” (LOLBAS) attack?

Here’s how it works!

  1. Company user accesses a compromised website, inserts an infected USB drive, or opens a phishing email.
  2. The attacker scans the machine for weak spots and targets.
  3. The attacker hides malware into an already-existing, white-listed software.
  4. The attacker searches and executes malicious activity under the radar.
  5. The attacker continues to gets data/executes malicious activity using the planted malware, since the software used for cover is white-listed.


We see time and time again that companies are not upgrading their Endpoint Detection & Response (EDR) capabilities. This is a huge vulnerability in IT/network security because LOLBAS attacks exploit the local operating systems (OS) to avoid detection by using tools or features that already exist in the target environment, making it more difficult for defenders to detect or prevent.

Some EDR software lack the capabilities to stop, or even detect, LOLBAS based attacks!

To combat this type of attack, we mapped and developed an out-of-the-box integration rules bundle which leverages built-in windows auditing capabilities to detect such attacks, minimizing an expensive risk with a quick (and easy) solution. The LOLBAS bundle includes around 200 unique detection rules.


One of the LOLBAS rules within the bundle is Regsvr32:

Regsvr32 is a command-line utility to register and unregister OLE controls, such as DLLs and ActiveX controls in the Windows Registry.

An adversary can use this signed Windows binary to achieve signed-binary proxy execution defined by MITRE ATT&CK as technique T1117.

It may be possible to bypass application whitelist solutions because the execution of signed system binaries might be allowed.

The technique is done by calling the command line tool to run a local or remote Windows Script Component (SCT) file, in which VBScript or JavaScript can be used to gain arbitrary code execution. regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation.
This method makes no changes to the Registry as the COM object is not actually registered, only executed.

To learn more about this attack , visit MITRE.


Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Subscribe to “Cyber by QMasters” to stay in-the-know!
Don’t worry, it’s once a month.

Contact Us.