Living off the Land Binaries (LOLBins)
Living off the Land Binaries (LOLBins) are legitimate, pre-installed executables and scripts on an operating system that adversaries abuse to perform malicious actions without introducing external malicious code or tools. This tactic helps attackers evade detection, as these binaries are typically trusted and signed by the operating system vendor
Key Characteristics:
Legitimacy: LOLBins are part of the operating system or other installed software and have legitimate uses.
Trust: Security solutions and administrators often trust these files, making their malicious use less suspicious.
Flexibility: These binaries can perform a wide range of actions, such as downloading files, executing commands, or interacting with system resources
Examples of LOLBins:
On Windows:
cmd.exe/powershell.exe: Used to execute scripts or commands.reg.exe: Manipulates the Windows registry.mshta.exe: Executes HTML applications and can run malicious scripts.rundll32.exe: Executes DLLs or functions, often abused to run malicious code.certutil.exe: Retrieves and decodes certificates, often abused for downloading files.schtasks.exe: Creates scheduled tasks for persistence or execution
On Linux:
bash: Executes shell commands and scripts.wget/curl: Downloads files or communicates with remote servers.find: Executes other commands via the-execflag.cron: Used for scheduling tasks (persistence)
Here is example the attacker can use legitimate pre-installed tool to download malicious file
Common Malicious Activities with LOLBins:
cExecution:
Run scripts or commands (e.g., using
PowerShellorcmd.exe).
File Download:
Use tools like
CertUtilorbitsadminto fetch payloads from remote servers.
Data Exfiltration:
Transfer stolen data using
PowerShellorftp.exe.
Persistence:
Use utilities like
schtasksto create scheduled tasks for re-execution.
Lateral Movement:
Use
PsExecorwmicto execute commands on remote systems.
Last updated