Logo
Sign InSign Up

'What is a Lolbin | Definition and Meaning'

Last modified on Wednesday, May 8, 2024

2 minute read

Defining Lolbin

A Living off the Land Binary, or a Lolbin, is a legitimate system binary such as a DLL that comes shipped with Windows operating systems that an attacker can leverage in attacks such as a fileless malware attack. The Lolbin definition may also include legitimate and signed administration tools. For example, PsExec.

Lolbin Definition and Meaning

Thousands of DLLs come pre-installed with Windows, and are a shared pool of resources used for legitimate purposes, designed to lower Windows program size (DLLs account for several GBs of Windows installs) and to avoid re-inventing the wheel. With so many DLLs there is a risk of misuse from known and unknown vulnerabilities. DLL Search Order Hijacking and DLL side loading makes it easier for an attack to further hijack other DLLs. Lolbins have a disproportinately high usage by Advaned Persistent Threats (APTs).

Lolbin Examples:

  • Presentation Host: Executes XAML Browser Application (XBAP) files, can therefore be used to execute a malicious XBAP file.
  • Rundll32.exe: Used by Windows to execute DLL files. Can be used for attacks including Pass-Thru Command Execution and Lateral Movement.
  • Certutil: Used for certificate handling. Used in the Kaseya Ransomware Attack.

Examples of lolbin attacks

  • Kaseya Ransomware Attack (REvil): The legitimate Certutil.exe binary was used to launch the ransomware.
  • WastedLocker Ransomware: Rundll32.exe was used in the WastedLocker Ransomware Attack.

Also called:

  • Live off the Land Binary
  • Living off the Land Binary
  • LotlBin
  • Lolbin

See also:

For a community-maintained list of examples, see the Lolbas Github project.

Agreed upon as an official term alongisde LOLScripts in 2018.


Share this article

Stellastra The Cyber Security Comparison Platform

© 2024 Stellastra Ltd. All rights reserved. All names, logos, trademarks, et al, belong to their respective owners. No endorsement or partnership is necessarily implied between company and Stellastra and vice versa. Information is provided for convenience only on an as is basis. For the most up to date information, contact vendor directly. Scores including email security, SPF, and DMARC are calculated based on Stellastra's algorithms and other analyses may return different results.

LinkedInTwitter

Company

About StellastraContact usCyber Security Risk ScoreEmail Deliverability ToolStellastra Discover

Stay up to date

Stellastra The Cyber Security Comparison Platform