1. Introduction
When attackers compromise a Windows system, they don’t always drop flashy malware. Instead, they often live off the land by abusing built-in Windows tools that administrators themselves rely on. These tools, known as LOLBins (Living-Off-the-Land Binaries), are signed by Microsoft and trusted by the OS. Because of this, their misuse often slips past antivirus and security defenses.
In this post, we’ll explore what LOLBins are, why they are stealthy, and walk through a hands-on lab where a simple DLL is executed using the LOLBin rundll32.exe
. Finally, we’ll flip perspectives to the defender’s side and see how Sysmon logs reveal the tell-tale signs of abuse.
2. What are LOLBins?
LOLBins are legitimate executables and scripts that come pre-installed with operating systems (like Windows). Attackers can abuse them to perform malicious actions without dropping custom malware.
Examples:
-
rundll32.exe
-
certutil.exe
-
powershell.exe
-
mshta.exe
Since they are signed by Microsoft and widely used for admin tasks, their execution often bypasses security controls and raises less suspicion.
👉 How attackers use LOLBins:
- Downloading payloads
- Executing arbitrary code
- Lateral movement
- Data exfiltration
👉 How defenders detect misuse:
- Monitor unusual command-line arguments
- Trace parent-child process relationships
- Analyze telemetry from Sysmon or EDR tools
3. Why are LOLBins Stealthy?
LOLBins are stealthy because:
- They are trusted, signed binaries already present in Windows.
- They allow attackers to avoid dropping new executables (lowers AV detection risk).
- They can proxy malicious commands through normal admin utilities (e.g.,
certutil
for downloads,rundll32
for DLL execution). - Their execution blends in with normal system/admin behavior.
- They often run with inherited or elevated privileges, giving attackers powerful access while appearing benign.
4. Lab Setup
4.1 Basic Windows-Only Setup
In this setup, I created a .dll
file locally and executed it with rundll32.exe
.
- The
Hello.dll
file is harmless and only pops up a message box. - But an attacker could replace it with malicious code.
What happened?
- I compiled a DLL with an exported function.
- Used
rundll32.exe
to execute it. - Proof: the pop-up “Hello from rundll32”.
Why rundll32.exe
?
- Built-in LOLBin, signed by Microsoft
- Loads and executes arbitrary DLLs
- Can bypass application whitelisting controls
👉 Significance: even though the message box is harmless, the same method could load a Cobalt Strike beacon, keylogger, or ransomware.
4.2 Advanced: Kali + Windows Setup
Here I simulated a more realistic attacker scenario using Kali + Windows.
- Attempted to download
Hello.dll
from Kali to Windows usingcertutil
. - WSC blocked the download.
- Switched to PowerShell
Invoke-WebRequest
and successfully downloaded it. - Executed DLL using
rundll32.exe
.
4.3 Blue-Team Activities
Sysmon Event ID 1 (Process Creation) revealed the suspicious process:
-
CommandLine
→ showsrundll32.exe
loading a DLL from Desktop (unusual). -
ParentProcess
→cmd.exe
, confirming it was manually launched. -
User
&IntegrityLevel
→ shows who executed it and privilege level. -
Hashes
→ defenders can track the specific DLL in the future.
Key Fields to Watch in Event ID 1:
-
Image →
C:\Windows\System32\rundll32.exe
-
CommandLine →
rundll32.exe C:\Users\testuser1\Desktop\Hello.dll,HelloExport
(suspicious location) -
CurrentDirectory →
C:\Users\testuser1\Desktop\
(should normally beSystem32
) -
User →
ANNU\testuser1
-
ParentImage →
cmd.exe
(manual execution chain) - Hashes → unique fingerprint (can be checked in VirusTotal)
-
IntegrityLevel →
High
(ran with elevated permissions)
5. Conclusion
LOLBins highlight a critical reality in modern security: attackers don’t always need to bring their own tools. By abusing trusted binaries like rundll32.exe
, they can execute arbitrary code, evade detection, and blend into normal activity.
Even a harmless “Hello World” DLL shows how dangerous this technique can be if swapped for real malware.
👉 For defenders: monitor command-line arguments, parent-child processes, and execution paths (like DLLs from user directories). Understanding these abuse cases helps red teams demonstrate risk and blue teams detect attacks.
Top comments (0)