Skip to content

What are living-off-the-land binaries (LOLBins), and how would you hunt for their abuse?

Short answer

LOLBins (living-off-the-land binaries) are legitimate, signed, pre-installed system tools — like certutil, bitsadmin, mshta, rundll32, regsvr32, wmic, powershell — that attackers abuse to download, execute, or persist while blending in with normal admin activity. Because the binary itself is trusted, you cannot detect on the file; you detect on context: anomalous command-line arguments, unusual parent processes, unexpected network connections from these tools, and execution from odd paths or by odd users.

Living-off-the-land binaries — LOLBins — are the attacker's way of hiding in plain sight. They are legitimate, signed, Microsoft-shipped (or otherwise pre-installed) tools repurposed for malicious ends. Because the binary is trusted, traditional file-based controls wave it through.

Common offenders

certutil (download/encode), bitsadmin (download/persistence), mshta and rundll32 and regsvr32 (proxy execution), wmic (execution/lateral movement), powershell and cmd, msbuild, installutil. The LOLBAS project catalogs these and the techniques they enable. ATT&CK groups much of this under signed binary proxy execution (T1218).

Why the file is the wrong thing to detect

The executable is genuine and often allowlisted, so hash- or signature-based detection is useless. You must detect on how it is being used.

Where the signal lives

  • Command linecertutil -urlcache -f http://... or base64-decoding arguments are far outside normal admin use. Full command-line logging is essential.
  • Parent processwinword.exe or mshta.exe spawning powershell.exe is anomalous; a benign certutil is rarely launched by an Office app.
  • Network behaviourcertutil or bitsadmin making outbound connections to non-corporate hosts is a strong tell.
  • Path and user — execution from temp/user-writable directories or by accounts that never run these tools.

Hunting approach

Baseline normal usage of each binary, then hunt for the deviations above. Promote durable findings into Sigma rules tagged to T1218.

Why this matters

Senior interviewers expect you to know that the binary is trusted, so detection is behavioural — command line, lineage, and network — and that command-line visibility is the prerequisite.

Likely follow-ups

  • Why does allowlisting the binary not help against LOLBin abuse?
  • What is suspicious about certutil or bitsadmin making outbound connections?
  • How does parent-child process analysis help here?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.