Late one Tuesday night, Elena's phone buzzed with an alert from her company's SIEM. Her team had set up a rule to flag when certain system tools — whoami, nltest and nslookup–were run one after another in quick succession. That exact pattern had just triggered on a computer in the Finance Department. The time? 2:13 a.m. Concerned, Elena logged in from home to investigate. Almost immediately, two more alerts appeared. One signaled that Mimikatz (a tool popular with threat actors to steal credentials) had been used on the same Finance machine. The other reported a PsExec download (a command line tool used to execute processes) on a domain controller. Elena and her team began isolating systems and tracing the activity, determined to stop it before it spread any further. What first looked like routine system commands now clearly pointed to something more serious. This story is a compartmentalized version of something we're seeing more and more often in Cisco Talos Incident Response engagements: Rather than inventing their own tools, attackers are making use of familiar, legitimate software — just with a very different purpose. What exactly are LOLBins? A big part of this trend revolves around "living off the land binaries," or LOLBins. LOLBins are tools built into an operating system that attackers can use to carry out malicious actions without having to download or install any new software or utilities. They're especially concerning because they're already installed,…Read More