Azure LoLBins can be used by attackers to bypass network defenses, deploy cryptominers, elevate privileges, and disable real-time protection on a targeted device.
On Windows systems, LoLBins (short for living-off-the-land binaries) are Microsoft-signed executables (downloaded or pre-installed) that threat actors can abuse to evade detection while performing various malicious tasks such as downloading, installing, or executing malicious code.
Attackers can abuse a wide range of Window legitimate tools, including but not limited to Microsoft Defender, Windows Update, and even the Windows Finger command.
As Microsoft said earlier today, they can also use Azure LoLBins by abusing Azure Compute virtual machine extensions, small apps used by admins for automation and post-deployment tasks.
"The usage of LoLBins is frequently seen, mostly combined with fileless attacks, where attacker payloads surreptitiously persist within the memory of compromised processes and perform a wide range of malicious activities," Microsoft Senior Security Research Manager Ram Pliskin explained.
"Together with the use of legitimate LoLBins, attackers' activities are more likely to remain undetected."
Among the VM extensions susceptible for abuse in attacks, Pliskin says that Microsoft has observed these used by threat actors as Azure LoLBins:
While being legitimately used by thousands of admins each day for managing their organizations' Azure fleets, their capabilities can also be used for malicious purposes, including circumventing network defense lines.
Fo ..
Support the originator by clicking the read the rest link below.
