Hackers are abusing Microsoft tools more than ever before


  • The rise in LOLbins used in attacks this year has been significant
  • Most common ones used include RDP, PowerShell, cmd.exe, and net.exe
  • Sophos has shared mitigation tips for anyone affected

The rise in the abuse of Microsoft’s LOLbins (Living Off the Land binaries) in the first half of 2024 has been nothing short of alarming, a new report from Sophos has claimed.

The Sophos 2024 Active Adversary Report, which analyzes cases handled by its Incident Response (IR) and Managed Detection and Response (MDR) teams, says that in H1 of this year, hackers used 187 LOLbins in their attacks, a 51% increase compared to 2023. In 2021, the team observed exactly 100 LOLbins used.

Living Off the Land Binaries are legitimate executables and scripts native to operating systems, often pre-installed, that attackers abuse to perform malicious actions while evading detection. They are trusted tools, such as PowerShell or cmd.exe, making their activity harder to distinguish from normal administrative tasks.

RPD rules the landscape

Sophos says commonly abused LOLbins this year included RDP, PowerShell, cmd.exe, and net.exe, with RDP alone implicated in nearly 89% of cases. This didn’t come as much of a surprise for the researchers, too: “For the most part the names in the figure above are no surprise to regular readers of the Active Adversary Report – RDP rules the landscape, with cmd.exe, PowerShell, and net.exe making their usual strong showing,” they said.

Furthermore, binaries usually used for discovery or enumeration seem to be most prevalent, as of the top 29 LOLbins, 16 served such a purpose. Microsoft’s tools are being increasingly leveraged due to their legitimacy, signed status, and ubiquity within operating systems, it was said.

To mitigate the abuse of Microsoft LOLBins, organizations should adopt a multi-layered security approach, Sophos concludes.

This includes a number of things, from restricting access to commonly abused tools, to monitoring and logging the use of the binaries. Furthermore, they should implement endpoint detection and response solutions (EDR), and disable unused LOLbins. Finally, regularly applying software updates and educating employees on recognizing phishing and social engineering attacks can further reduce risks, they said.

You might also like