LOLBin Definition

A LOLBin (living-off-the-land binary) is a pre-installed executable file that cyberattackers can use as part of a living-off-the-land attack. Security tools typically trust these files because they’re a native component of the operating system and have legitimate functions. Attackers use LOLBins to perform malicious activities without introducing easily detectable files to the target device.

How LOLBins Are Used for Attacks

Attackers use LOLBins to carry out malicious actions while blending in with normal system activity. Common techniques include:

• Allowlist bypass: Uses trusted system tools that already have the necessary permissions to run.
• Code execution: Runs malicious scripts or shellcode through built-in utilities, like PowerShell or cmd.
• Malware delivery: Downloads additional payloads from remote servers using legitimate tools.
• Detection evasion: Avoids triggering security alerts typically caused by unknown executables.
• Privilege escalation: Leverages tools with a high level of privileges.
• Lateral movement: Uses remote execution tools to access other systems in the network.

Common LOLBin Examples

• Certutil.exe: Downloads, encodes, and decodes files from a specified URL.
• Mshta.exe: Executes HVBScript or JScript applications that contain malicious scripts.
• Powershell.exe: Runs PowerShell commands, such as downloading and running malicious files.
• Regsvr32.exe: Registers .dll files and executes code from remote scripts.
• Rundll32.exe: Runs code stored in .dll files.
• nc / netcat: Creates network connections for remote communication or command execution.
• OpenSSL: Forms encrypted connections and transfers data between systems.

Read More

• What Is a Fileless Attack?
• What Is an Insertion Attack?
• What Is Arbitrary Code Execution?

FAQ