Living Off the Land Binaries (LOLBins) Brief
What It Is
A post-exploitation posture where an attacker uses only tools, binaries, and scripts already present on the operating system; no custom tooling uploaded. Native administrative commands handle reconnaissance; Microsoft-signed binaries handle code execution. The entire operation looks like ordinary system administration.
Mental Model
Two properties combine. First, Windows ships a deep administrative surface (PowerShell, WMI, net, dsquery) designed to query the host, network, and AD, and the same capability an admin uses is the capability an attacker uses. Second, execution LOLBins are Microsoft-signed and live under C:\Windows, so AppLocker's default rules permit them. The malicious action runs inside a trusted Windows process, not an unknown executable. Together: the attacker maps the environment and runs code without ever introducing a new file or unknown signature.
Preconditions
Code execution on a Windows host as any user, the same foothold any post-exploitation step needs. No special privilege required to start; most native enumeration runs at standard domain-user level. Most effective when the environment is hardened against custom tooling: application allowlisting, EDR that flags unsigned binaries, no internet access, or a scoped assessment that prohibits uploads.
Attacker Gain
Two distinct gains: (1) Quiet enumeration: host configuration, network neighbors, domain users, groups, service accounts, and trust relationships mapped via native commands that generate the same log entries as routine administration. (2) Trusted execution: payload runs under the identity of a Microsoft-signed binary, bypassing application allowlisting and signature-based defenses. Together these let an operator map the environment and run follow-on code without crossing the tripwire that 'a new tool appeared on this machine' represents.
Key Tools and Binaries
- PowerShell: host and domain recon, downloads, in-memory execution; downgrade to v2 to sidestep script-block logging
- WMI / wmic: query host, user, group, and DC information locally or remotely without external tooling
- net / net1, dsquery, systeminfo: enumerate users, groups, shares, and AD objects; systeminfo summarizes the host in one command
- rundll32.exe: loads and runs DLLs; abused to execute attacker-supplied DLL code while bypassing AppLocker (T1218.011)
- installutil.exe: signed .NET install utility; abused via code placed in an Uninstall method; bypasses allowlisting and blends in (T1218.004)
- LOLBAS project: public catalog of Microsoft-signed binaries and their abuse functions (execute, download, bypass)
Interview Answer
Living off the land means that once an attacker has a foothold, they deliberately use only the tools that already ship with Windows instead of uploading their own. Most defenses are tuned to catch new or unsigned tools landing on disk, so avoiding that entirely is the whole point. On the enumeration side, PowerShell, WMI, net, and dsquery map the host, network, and domain, which is activity that is hard to separate from normal administration. On the execution side, Microsoft-signed binaries like rundll32 or installutil run the attacker's payload because they are permitted by AppLocker's default rules and the malicious action appears to come from a trusted Windows process. The attacker gets to enumerate the environment and run code without ever crossing the line that 'a new tool appeared' represents. Defending against it is about behavior, watching how trusted tools are actually being used, not just blocking files.
Stakeholder Explanation
Living off the land is when an attacker who is already inside a machine uses the tools that came with Windows, the same ones your administrators use, instead of bringing in their own hacking tools. They map your network and run their code using trusted, Microsoft-signed programs that are already there. The risk is that most defenses are tuned to catch new or unknown tools, and this technique deliberately avoids ever introducing one. Activity that should stand out instead looks like ordinary system administration, which means an intruder can quietly learn your environment and run their code while staying under the radar. Defending against it is less about blocking files and more about watching how trusted tools are actually being used.
Report Phrasing
Finding: Inadequate Detection of Living-off-the-Land Techniques. During the assessment, the operator performed host, network, and Active Directory enumeration using only native Windows utilities (PowerShell, WMI, net, and dsquery) and achieved code execution through Microsoft-signed binaries (rundll32.exe and installutil.exe), bypassing the application allowlisting policy. No alerts were generated for the enumeration activity, and the signed-binary execution was permitted by the default AppLocker rules, which allow any binary located within C:\Windows. Severity: Medium to High, depending on environment sensitivity and monitoring maturity. Recommendation: Implement behavior-based detection for known LOLBin abuse patterns rather than relying on signature or path trust. Enable PowerShell script-block logging, block legacy PowerShell v2, and pair AppLocker with Windows Defender Application Control. Baseline legitimate administrative activity so that anomalous use of native tooling from non-administrative hosts generates alerts.
Common Pitfalls
- Calling living off the land 'a tool' or 'an exploit': it is a posture, a deliberate choice about what to use, not a single technique or CVE
- Saying LOLBins bypass antivirus without explaining why: they are Microsoft-signed and in trusted locations, so allowlists and detection rules permit them by default
- Listing native commands without explaining the goal: the point is stealth and blending in, not just 'running commands natively'
- Conflating enumeration benefit (quiet recon via native commands) with execution benefit (signed binaries abused to run a payload past allowlisting): a strong answer distinguishes both
- Claiming it requires no skill because the tools are built in: knowing which binary can be coerced into code execution, and how to invoke it without tripping behavioral detection, is the actual expertise