Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Industry
Health
Banking and Finance
Public Sector
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Smart Cities
LOLBins, 'Living off the Land': how attackers use legitimate tools to stay under the radar
One of the golden rules for cybercriminals (and, on the good side, for pentesters and red teams) is to avoid having their exploits and tools detected by security systems, whether on the network or on individual endpoints.
While these systems are far from foolproof, they can ruin an engagement if they spot suspicious activity and raise an alert. As a pentester, it is always a blow to the ego when you get an email or a phone call telling you that you have been caught in the act, but that is simply part of the game.
At the end of the lifecycle of any malware sample, exploit or malicious tool, there is usually a "wanted poster" in the form of a signature, rule or pattern designed to detect it and trigger an alert. As a result, malware generally comes with an expiry date. Sooner or later it will be detected, and every deployment is another ticket towards ending up at the castle gates or in the crocodile pit.
Malware generally comes with an expiry date: every deployment is another ticket towards ending up in the crocodile pit.
Given this reality, someone eventually wondered why bother writing complex malware with rootkit capabilities if it is only going to be discovered a few days later. After all, what is that malware actually going to do? Search a machine for information and exfiltrate it? Steal tokens from domain administrator accounts? The obvious answer followed: why not simply use the tools that are already available on the system?
On the one hand, they are already allowlisted. On the other, you save yourself a significant amount of time developing an original tool that will eventually end up dissected in a YARA rule.
What are LOLBins (Living off the Land Binaries)?
These techniques were given a name: "Living off the Land" (LOLBins), a phrase that can be understood as "living off whatever the land provides".
It is the military equivalent of being dropped alone in the wilderness and having to fend for yourself while making your way to a specific location dozens of kilometres away. A daunting yet rewarding challenge that teaches you how to achieve an objective with few resources, or none at all, and no tools beyond your own hands.
LOLBin techniques are a goldmine for cybercriminals, but they are also fertile ground for pentesters and researchers.
What may seem obvious and straightforward at first glance has become a treasure trove for cybercriminals, while also opening up a rich field of study for pentesters and researchers who use these techniques and tools ethically, but with the opposite objective.
As awareness of this reality has grown, various catalogues of these tools have emerged, classifying them according to use case, system location, techniques employed and more. They have become valuable reference resources that can be consulted and used depending on the environment and circumstances.
Let us take a look at some of them. Many are spin-offs of the original project and have chosen to specialise in a particular operating system or a specific area.
LOLBAS (Living off the Land Binaries): the leading LOLBins catalogue for Windows
You could say this is the original project. It currently contains around 200 entries covering binaries, scripts and libraries. It also offers a unique advantage by mapping each entry to its corresponding ATT&CK technique, a framework widely used for advanced threat modelling.
One of its most popular entries is Rundll32.exe, which is used to execute functions contained within DLLs (libraries), effectively turning them into executables. It is one of the most widely used, ubiquitous and powerful tools found in Microsoft Windows, alongside the king of LOLBins: PowerShell.
Each entry includes additional information about how it can be used and the APT operations in which it has appeared. Combined with ATT&CK, it provides a highly informative overview.
Everything started with Microsoft Windows systems, but once the concept proved useful, the same approach was extended to other platforms. One example is the LOOBins project (Living off the Orchard), which focuses on Apple's operating system, macOS.
It is essentially the same concept as the original project, adapted for the operating system developed in Cupertino.
It even includes classifications based on the tactic involved, once again using ATT&CK.
GTFOBins: Living off the Land tools for Linux and UNIX systems
The same concept applies here, but with a focus on UNIX systems, particularly Linux. Since macOS is itself UNIX-based, this catalogue can also prove useful for Apple's operating system alongside the one mentioned above.
With nearly 400 documented tools, which reflects the richness of UNIX systems in this area, it is surprising to see how even unlikely candidates such as bc, the classic UNIX command-line calculator, can be put to use for these purposes.
These are the best known and most prominent examples, but the story does not end there. The idea of cataloguing items capable of flying under the radar of EDR (Endpoint Detection and Response) solutions has expanded to such an extent that there are now not only repositories dedicated to binaries, but also collections of domains that are commonly allowlisted and therefore unlikely to be blocked.
These services often allow files or text to be uploaded, which can subsequently be used either as download locations or, conversely, for data exfiltration.
One example is https://lots-project.com (Living off Trusted Sites):
Clear examples include docs.google.com and GitHub, services that are frequently used in phishing campaigns, malware distribution and similar activities.
Another example focuses on file extensions (!), https://filesec.io, or drivers at https://www.loldrivers.io
There are several others worth mentioning, such as APIs catalogued at https://malapi.io, or cheat sheets containing code snippets that can be used in Windows pentesting and, in particular, Active Directory environments: https://wadcoms.github.io
What is truly remarkable is that systems themselves contain an arsenal of tools available to an unauthorised user wandering around inside them. As we can see, achieving results does not require sophisticated or cutting-edge tools. With ingenuity and the knowledge contained in these repositories, an enormous range of techniques becomes available.
It is the classic principle of doing a great deal with very little:
What MacGyver could do with his small but legendary Swiss Army knife, in digital form.
.jpg "Dangerous friendships (or how a disguised collaboration on Github can ruin your day)")
Update: 06.9.2026
