Hackers are abusing Microsoft tools more than ever before

News
By published

Abuse of LOLbins in cyberattacks is skyrocketing, Sophos says

Fingertip pressing keyboard key with Windows logo on it
Är du ute efter bästa VPN för Windows 10 och Windwos 11? Här är våra favoriter just nu. (Image credit: Shutterstock)
  • The rise in LOLbins used in attacks this year has been significant
  • Most common ones used include RDP, PowerShell, cmd.exe, and net.exe
  • Sophos has shared mitigation tips for anyone affected

The rise in the abuse of Microsoft’s LOLbins (Living Off the Land binaries) in the first half of 2024 has been nothing short of alarming, a new report from Sophos has claimed.

The Sophos 2024 Active Adversary Report, which analyzes cases handled by its Incident Response (IR) and Managed Detection and Response (MDR) teams, says that in H1 of this year, hackers used 187 LOLbins in their attacks, a 51% increase compared to 2023. In 2021, the team observed exactly 100 LOLbins used.

Living Off the Land Binaries are legitimate executables and scripts native to operating systems, often pre-installed, that attackers abuse to perform malicious actions while evading detection. They are trusted tools, such as PowerShell or cmd.exe, making their activity harder to distinguish from normal administrative tasks.

RPD rules the landscape

Sophos says commonly abused LOLbins this year included RDP, PowerShell, cmd.exe, and net.exe, with RDP alone implicated in nearly 89% of cases. This didn’t come as much of a surprise for the researchers, too: “For the most part the names in the figure above are no surprise to regular readers of the Active Adversary Report – RDP rules the landscape, with cmd.exe, PowerShell, and net.exe making their usual strong showing,” they said.

Furthermore, binaries usually used for discovery or enumeration seem to be most prevalent, as of the top 29 LOLbins, 16 served such a purpose. Microsoft’s tools are being increasingly leveraged due to their legitimacy, signed status, and ubiquity within operating systems, it was said.

To mitigate the abuse of Microsoft LOLBins, organizations should adopt a multi-layered security approach, Sophos concludes.

This includes a number of things, from restricting access to commonly abused tools, to monitoring and logging the use of the binaries. Furthermore, they should implement endpoint detection and response solutions (EDR), and disable unused LOLbins. Finally, regularly applying software updates and educating employees on recognizing phishing and social engineering attacks can further reduce risks, they said.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Android phone malware
Over 25 new malware variants created every single hour as smart device cyberattacks more than double in 2024
Russian flag on a laptop
Hackers are using Russian domains to launch complex document-based phishing attacks
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Hands typing on a keyboard surrounded by security icons
Infostealers on the rise: the latest concern for organizational defenses
A digital representation of a lock
Exploits on the rise: How defenders can combat sophisticated threat actors
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
Zotac Gaming RTX 5090 Graphics Card
Nvidia Blackwell stock woes are compounded by price hikes as more RTX 5090 GPUs soar in pricing, and I’m sick and tired of it all at this point
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
An Apple Music pink/pixellated poster advertising DJ with Apple Music
DJ with Apple Music lands, allowing subscribers to build and mix DJ sets directly from its +100 million-song catalog
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Intel Core Ultra PCs

“No matter who you are, what you do, what form factor you choose” - how Intel is bringing AI advantage and unrivaled security to every industry and ecosystem
See more latest
Most Popular
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
Monster Hunter Wilds
Monster Hunter Wilds Title Update 1 launches in early April, adding new monsters and some of the best-looking armor sets I need to add to my collection
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Sony WF-C710N in blue glass on beige background
Sony WF-C710 earbuds land, and I think they'll be the 2025 budget buds to beat
The RIG M2 Streamstar attached to a boom arm.
The RIG M2 Streamstar has the world's first Bluetooth audio gateway in a wired gaming microphone
Four operators survey Verdansk. One holds a sniper rifle, one binoculars, another holds is landing with their parachute, while the last wears a skull mask
New Call of Duty: Warzone trailer shows a beautiful rebuilt Verdansk, but some fans want more: 'it won't be the same unfortunately'
Data leak
A major Keenetic router data leak could put a million households at risk
A collage of Elizabeth Olsen's Scarlet Witch and Tatiana Maslany's She-Hulk
Marvel fans are already tired of Doomsday and Secret Wars cast gossip as two more superheroes get linked with roles in the next two Avengers movies
Quordle on a smartphone held in a hand
Quordle hints and answers for Wednesday, March 26 (game #1157)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Wednesday, March 26 (game #388)