A Live off the Land Binary, or a Lolbin is a legitimate system binary such as a DLL that comes shipped with Windows operating systems that an attacker can leverage in attacks such as a fileless malware attack. The Lolbin definition may also include legitimate and signed administration tools that are not pre-installed, but that can be downloaded from official Windows sources. For example, PsExec.
Thousands of DLLs come pre-installed with Windows, and are a shared pool of resources used for legitimate purposes, designed to lower Windows program size (DLLs account for several GBs of Windows installs) and to avoid re-inventing the wheel. With so many DLLs there is a risk of misuse from known and unknown vulnerabilities. DLL Search Order Hijacking and DLL side loading makes it easier for an attack to further hijack other DLLs. Lolbins have a disproportinately high usage by Advaned Persistent Threats (APTs).
- Live off the Land Binary
- Living off the Land Binary
For a community-maintained list of examples, see the Lolbas Github project.