This resource has just been created but is quite nice and through resource for describing Microsoft signed binaries which can be abused plus much more. Living Off The Land Binaries and Scripts Link: https://github.com/api0cradle/LOLBAS
From a quick glance, are those to complement the existing Florian's vulnerable process list? Thank you, btw.
I think so. Some processes are already included in the "official" Excubits blacklist but some commands are new. This repository gets regularily updated and is definitely worth a view.
Bit off-topic, sorry: Tried to find the meaning of "Living Off the Land" but I couldn't find anything that makes sense in this context. Am I right if I think that's an idiomatic expression?
I think you would properly call it a metaphorical expression. The idea of living off the land is that you don't go to the store and buy what you need, you just live from natural resources, you get what you need from what the land produces. This is a metaphor for malware that gets what it needs from what is "naturally" in the OS.
This repo has turned out to be quite a nice and valuable resource. It seems that many of the security researchers discuss these OS binaries and how to abuse them on their blogs and share on Twitter (of all platforms) and therefore it becomes a really decent collaboration and seems to be updated regularly which is great. The addition of scripts and libraries is nice as well. I like how many of these detail how to use them for code execution and specific command lines and such. It makes it much easier to create blacklists to intercept. This does contain many of the binaries which are listed in Florian's blacklist but there are also many new additions as well. I mentioned this repo to Florian recently so that he can also follow and update his own resources. If anyone is adding any of these to their own blacklists, it is always best practice to run initially in a logging only mode so that you can determine if any of these cause issues for your system and configuration. When I add something new, I generally use the system through one or two reboots before enabling blocking mode again. I have not personally determined yet how best to add the scripts to my blacklist in Bouncer. I assume that I would have to add them to the command line blacklist section but haven't gotten around to doing that yet. @Mister X Sorry that I had missed your initial reply a while back.
