A Living off the Land Binary, or a Lolbin, is a legitimate system binary such as a DLL that comes shipped with Windows operating systems that an attacker can leverage in attacks such as a fileless malware attack. The Lolbin definition may also include legitimate and signed administration tools.^[0] For example, PsExec.^[1]

Lolbin Definition and Meaning

Thousands of DLLs come pre-installed with Windows, and are a shared pool of resources used for legitimate purposes, designed to lower Windows program size (DLLs account for several GBs of Windows installs) and to avoid re-inventing the wheel. With so many DLLs there is a risk of misuse from known and unknown vulnerabilities. DLL Search Order Hijacking and DLL side loading^[2] makes it easier for an attack to further hijack other DLLs. Lolbins have a disproportinately high usage by Advaned Persistent Threats (APTs).^[0]

Lolbin Examples:

• Presentation Host: Executes XAML Browser Application (XBAP) files, can therefore be used to execute a malicious XBAP file.^[3]
• Rundll32.exe: Used by Windows to execute DLL files. Can be used for attacks including Pass-Thru Command Execution and Lateral Movement.^[4]
• Certutil: Used for certificate handling. Used in the Kaseya Ransomware Attack.^[5]

Examples of lolbin attacks

• Kaseya Ransomware Attack (REvil): The legitimate Certutil.exe binary was used to launch the ransomware.^[5]
• WastedLocker Ransomware: Rundll32.exe was used in the WastedLocker Ransomware Attack.^[6]

Also called:

• Live off the Land Binary
• Living off the Land Binary
• LotlBin
• Lolbin

See also:

• Lollib
• Lolscript
• Fileless Malware
• Living off the Land Attack

For a community-maintained list of examples, see the Lolbas Github project.

Agreed upon as an official term alongisde LOLScripts in 2018.^[7]

---

Share this article