Posted by Martijn Grooten on Sep 2, 2019
Living-off-the-land binaries, often referred to as LOLbins, are legitimate (Windows) binaries used for malicious purposes. Their use has increased in malware campaigns in recent years and serves as a reminder that a defensive approach focused purely on detecting malicious binaries is outdated.
Thus rather than focus on the binaries itself, it is important to study the parent-child process that leads to a binary being executed to determine whether its use is likely malicious.
This is the premise of a paper to be presented at VB2019 by Endgame researcher Bobby Filar, who will discuss Problem Child, a graph-based framework designed to address these issues. In his research he also used the framework against activities by two known APT actors: OceanLotus and APT3.
With VB2019 just one month away, it is time to book your ticket for the most international threat intelligence event of the year!