< ciso
brief />
Tag Banner

All news with #lolbins tag

6 articles

AI-assisted PowerShell used for noisy AD reconnaissance

🛡️ Huntress investigators reported an early-June 2026 intrusion where an unknown actor used a vibe-coded PowerShell script to enumerate Active Directory. The attacker gained RDP access with pre-compromised credentials, staged tools under C:\ProgramData\, and executed an AI-suspected payload that mapped DCs, users, groups, OUs, trusts, and produced an AD_Report.html. After harvesting data into CSVs and archiving them, files were exfiltrated to a remote server, with additional enumeration using s5cmd and SharpShares.
read more →

AI coding agents trigger endpoint behavioral detections

🛡️ Sophos analyzed a week of June 2026 telemetry and found AI coding agents like Claude Code, Cursor, and OpenAI Codex frequently trigger behavioral detection rules designed to catch human attackers. The agents perform actions—decrypting browser credentials, enumerating Windows Credential Manager, downloading files via LOLBins, and writing startup scripts—that look like malicious behavior to endpoint engines. While often benign developer automation, these behaviors overlap precisely with attacker techniques and can generate false positives. Sophos recommends scoping rules to agent parents, workspaces, and download reputations while keeping credential access tightly controlled.
read more →

Legacy MSHTA Utility Still Widely Abused by Malware

🛡️ Bitdefender reports that Microsoft’s MSHTA (Microsoft HTML Application Host), a remnant from Internet Explorer, is actively abused as a living-off-the-land binary in ongoing malware campaigns. Attackers use it to execute obfuscated HTA content, launch PowerShell, and fetch loaders and stealers such as CountLoader, LummaStealer, Amatera and PurpleFox. Campaigns rely on fake downloads, cracked apps, SEO-poisoned pages and Discord phishing to trick victims into executing payloads. Because MSHTA is Microsoft-signed and preinstalled, it remains implicitly trusted and attractive to adversaries.
read more →

Attackers Exploiting Trusted Tools: Why You Miss It

⚠️ Attackers increasingly bypass classic defenses by abusing trusted, built-in tools such as PowerShell, WMIC, and Certutil to move laterally, escalate privileges, and maintain persistence without dropping new malware. These Living Off The Land (LOTL) techniques mimic routine admin tasks and produce minimal alerts, creating stealthy blind spots for detection-focused teams. A data-driven Internal Attack Surface Assessment reveals unnecessary access, maps realistic attack paths, and prioritizes low-impact remediations so organizations can harden systems without disrupting workflows.
read more →

Weaponized Windows Shortcuts Deliver Global Group Ransomware

📄 Forcepoint X‑Labs researchers have uncovered a Phorpiex‑backed phishing campaign that weaponizes Windows shortcut (.lnk) files to deploy Global Group ransomware. Attackers send messages with the subject "Your Document" and attachments like "Document.doc.lnk", exploiting hidden file extensions and a Word‑style icon to trick recipients. The .lnk uses built‑in utilities (cms.exe and PowerShell) and heavily obfuscated commands to fetch and run a second‑stage payload, leveraging Living‑off‑the‑Land techniques so the ransomware executes locally without external C2 communication.
read more →

Stopping Living-off-the-Land Abuse of Trusted Tools

🔒 CrowdStrike highlights how attackers increasingly weaponize trusted software—RMM tools, built-in Windows utilities, and admin binaries—to evade detection and operate within networks. The Falcon platform layers behavioral IOAs, custom controls, and Exposure Management and now adds APEX, a machine-learning model that analyzes command-line syntax, parameters, process lineage, timing, and context to detect LOLbin abuse. APEX is generally available for Windows and aims to raise detection while reducing false positives.
read more →