LOLBAS Categories
Interactive reference of Living Off the Land Binaries and Scripts categories. Browse built-in Windows tools abused for execution, persistence, lateral movement, and defense evasion, organized by ATT&CK tactic.
Native Windows Utilities
powershell.exeScripting engine with .NET Framework access (T1059.001)
wmic.exeWindows Management Instrumentation CLI (T1047)
certutil.exeCertificate utility with download capabilities (T1105)
bitsadmin.exeBackground Intelligent Transfer Service admin (T1197)
regsvr32.exeDLL registration and execution utility (T1218.010)
rundll32.exeDLL function launcher (T1218.011)
Administration Tools
psexec.exeSysinternals remote execution tool (T1569.002)
winrmPowerShell remoting framework (T1021.006)
schtasks.exeScheduled task manager (T1053.005)
sc.exeService control manager (T1569.002)
net.exeNetwork administration utility (T1070)
Development Tools
msbuild.exeMicrosoft Build Engine (.NET compiler) (T1127.001)
csc.exeC# compiler
installutil.exe.NET installer utility (T1218.004)
regasm.exe.NET assembly registration (T1218.009)
Execution & Persistence Abuse
COM HijackingAbusing per-user registration and elevated CLSIDs (T1546.015)
DLL Side-LoadingLeveraging signed OS binaries to load custom DLLs (T1574.002)
mshta.exeHTML Application host (T1218.005)
Detection Challenge
Legitimate tools with Microsoft signatures are difficult to detect via signatures. Behavioral analysis and baseline deviation are critical.
External Resources