This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Topic 3.7 of Reversing Malicious Code
Nine LOLBins with command examples, the four abuse categories, suspicious parent-child process relationships, Sysmon detection rules, and the LOLBAS Project as a reference.
By the end of this topic, you will
Quadrant 1 · e-Tutorial
Quadrant 2 · e-Content
Quadrant 3 · Web Resources
Downloadable reference material
External links
LOLBAS Project — Living Off The Land Binaries
Definitive searchable catalogue of all known LOLBins with abuse scenarios, detection guidance, and real-world usage references.
Sysmon — System Monitor by Sysinternals
Install Sysmon in your analysis VM with the SwiftOnSecurity config for immediate LOLBin detection coverage.
MITRE ATT&CK — System Binary Proxy Execution (T1218)
ATT&CK parent technique for LOLBin abuse with all sub-techniques covering regsvr32, rundll32, mshta, msiexec, and others.
Quadrant 4 · Self-Assessment
Reversing Malicious Code
Covers x86 and x64 assembly analysis, control flow graphs, Windows API-level malware behaviour, DLL analysis, injection techniques, API hooking, and Living-off-the-Land attacks.
REMA Complete Assessment
A comprehensive 120-question assessment covering the entire Reverse Engineering and Malware Analysis curriculum: malware taxonomy and reverse engineering fundamentals, static and dynamic analysis, reversing malicious code, malicious web and document files, in-depth analysis of packed and fileless malware, and self-defending malware techniques.