Living-off-the-Land Binaries (LOLBins) are legitimate system tools and executables—already present in operating systems like Windows or Linux—that attackers abuse to carry out malicious actions without using traditional malware. These tools include binaries like PowerShell, cmd.exe, wscript.exe, and rundll32.exe.
Because LOLBins are signed, trusted, and essential for normal operations, their use doesn’t usually trigger security alerts. Attackers leverage them to download payloads, exfiltrate data, move laterally, or escalate privileges, all while staying under the radar.
This technique is part of a broader trend called Living off the Land (LotL), where attackers use built-in tools to avoid detection and blend in with normal activity.