Detection and Mitigation Techniques for Fileless Attacks Using LOLBins in Modern Windows Environments

Fileless malware is becoming popular with cyber attackers innovating on how to attack the target victim by avoiding antivirus and EDR mechanisms. The Living of the Land Binaries (LOLBins) are become the target for exploitation by the attacker and particularly dangerous as the programs are legitimate utility files and are present by default in the operating system. Since LOLBins are legitimate operating system files and any exploitation to LOLBins files are hard to detect. Lolbins exploitation is the focus of this research paper, which is accompanied by several examples of LOLBins exploitation such as Emotet and Chaes that use these strategies. It also discusses how attackers interact with LOLBins, some of which are using PowerShell, Mimikatz and Windows Management Instrumentation (WMI). Some of the LOLBins exploitation detection techniques investigated are behavior and log analysis, file integrity check, network traffic, and UEBA. The different difficulties involved in identifying the use of LOLBins in attacking the system have been discussed, and they include: The circumvention of security tools; Achieving privilege elevation; Movement from one component of the system to another; Other forms of concealment. This research serves to investigate the behavior of LOLBins in attacks and their detection focusing on current and future developments in monitoring and threat hunting to counter the threats posed by fileless malware.