{
	"id": "da52fe25-23b6-47bc-9e35-39dfb0137a99",
	"created_at": "2026-04-06T00:13:24.768848Z",
	"updated_at": "2026-04-10T13:12:54.914293Z",
	"deleted_at": null,
	"sha1_hash": "25474e991f432f80af981271d3b1aa741709b421",
	"title": "Understanding the Risks of LOLBAS in Security - Pentera",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47575,
	"plain_text": "Understanding the Risks of LOLBAS in Security - Pentera\r\nBy Nir Chako\r\nArchived: 2026-04-05 15:54:11 UTC\r\nLiving Off the Land Binaries and Scripts (LOLBAS) represent a stealthy and growing threat in cybersecurity.\r\nBy using trusted system utilities for malicious purposes, LOLBAS exploits challenge security teams, making it\r\nharder to detect and mitigate these advanced attack methods. This makes it hard for security teams to distinguish\r\nbetween legitimate and malicious activities, since they are all performed by trusted system utilities. Since\r\nLOLBAS are one of the growing trends in cyber-security attacks and they are also very hard for security solutions\r\nto detect, we set out to find new official LOLBAS. In this blog post, we’ll show how we found 12 new LOLBAS\r\nthat security professionals should protect against. To read a more in-depth explanation of the process, as well as\r\nour proposed framework for LOLBAS identification, you can read the entire research paper here.\r\nDiscovering New LOLBAS Threats: Step-by-Step”\r\nOn our quest to find new LOLBAS, we started by using Oddvar Moe’s approach. Oddvar is the founder of the\r\nofficial open-source LOLBAS project. He suggests a two-step process:\r\n1. List all the binaries.\r\n2. Try them one by one\r\nSo that’s what we did. Starting specifically by looking for new LOLBAS downloaders from the Microsoft Office\r\nsuite.\r\nStep 1: The Manual Approach\r\n1. We listed all the binaries in the Office suite installation folder.\r\n2. We tried to run the executables with a URL to download a file from as the argument.\r\n3. We initiated an HTTP server that will give an indication about a successful download attempt.\r\nThis manual process highlights how effective LOLBAS can be in evading detection by using trusted binaries.\r\nEach time we executed a binary with a URL as the argument we waited for a GET request in the HTTP server,\r\nwhich means that the triggered binary wanted to GET something from the HTTP server, i.e trying to download a\r\nfile. After finding the LOLBAS download trigger, it’s easy to find the location of the downloaded files by tracking\r\nthe downloader with ProcMon.\r\nWithin two hours, we found three (!) new LOLBAS downloaders from the Microsoft Office suite.\r\nhttps://pentera.io/blog/the-lol-isnt-so-funny-when-it-bites-you-in-the-bas/\r\nPage 1 of 3\n\nStep 2: The Automated Approach\r\nSince Windows OS contains more than 3,000 executable files, running them manually is not a practical approach.\r\nTherefore, we decided to build an automated solution, The automated solution needs to list all the binaries, and\r\nthen go over them one-by-one to and try to trigger a potential downloader. To do so, we ran the simplest command\r\nstructure that could initiate a download from an HTTP server. Its structure includes only two parts:\r\nThe path of the potential downloader\r\nA URL to download the file from\r\nThe code itself looks something like this:\r\nThen, the tools need to receive feedback on the download attempt. This part includes an HTTP server, like the one\r\nwe used in the manual approach. The HTTP server log records provide an indication about the file download\r\nattempt.\r\nUsing this automated method, we managed to find six more downloaders. All in all, we discovered nine new\r\ndownloaders. That’s almost a 30% increase in the official LOLBAS downloaders list!\r\nStep 3: Finding LOLBAS Executors\r\nWe were so excited about our findings that we decided to continue to find new LOLBAS with other\r\nfunctionalities. This time, we focused on LOLBAS executors. In a complete attack chain, a hacker will use a\r\nLOLBAS downloader to download more robust malware. Then, they will try to execute it. LOLBAS executors\r\nallow attackers to execute their malicious tools as part of a seemingly legitimate looking process tree on the\r\nsystem. Just like before, we started by iterating over all the binary files on the system, trying to execute a\r\n“FILE_TO_EXECUTE” by passing it as an argument of the executor.\r\nThen, we added cli execution flags using hyphen, dash and slash, while iterating over all the ABC letters\r\n(lowercase and uppercase). We added these because using different flags affects the execution flow of the\r\nprogram. See examples below:\r\nYou might notice there is no HTTP server as an indicator of a trigger. In this scenario, our feedback is based on the\r\nway that the operating system manages the process tree. For example, if we run the notepad from cmd, we can\r\nlook up the process parent and get a clear indication of the executor by its name. To implement this logic in our\r\nhttps://pentera.io/blog/the-lol-isnt-so-funny-when-it-bites-you-in-the-bas/\r\nPage 2 of 3\n\nresearch, we developed a helper with the task of finding the name of its process parent and writing it to a log file,\r\nif it was executed. This enabled us to get our much-needed indication of the test file execution by the executor.\r\nWe managed to find three new executors by using this approach! SCP, sftp and our beloved MsoHtmEd. Sftp was\r\nfound as an executor with the ‘- D’ flag.\r\nAfterwards, we tried reversing the process and found out that the usage of –D leads to the use of the CreateProcess\r\nAPI, which is the windows API call for running a new process. In our case – it ran the Exe helper. In potential\r\nfuture cases,  it might execute malware as part of a cyber attack campaign.\r\nUnderstanding how LOLBAS executors function is crucial for identifying potential vulnerabilities in your system.\r\nKey Takeaways for Defending Against LOLBAS for Red Teamers, Blue Teamers \u0026\r\nResearchers\r\nPrior knowledge about LOLBAS tactics can help organizations proactively strengthen their defenses. Let’s not\r\nwait to hear about an unknown LOLBAS taking part in the next cyber attack campaign. Prior knowledge about\r\nthese threats can help organizations effectively boost their security measures and mitigate potential risks. We hope\r\nour research and our findings help Red/Blue Teamers and Security Researchers protect against existing LOLBAS\r\nand discover new ones. One last thing before we go. The official LOLBAS project has criteria that dictate that a\r\nLOLBAS must be either a Microsoft signed file that is native to the OS or downloaded directly from Microsoft.\r\nBut theoretically, attackers could use other platforms, like Zoom, Slack or PyCharm, as Downloaders and\r\nExecutors. Just something for you to think about…\r\nLiving Off the Land Binaries and Scripts (LOLBAS): A Persistent Challenge\r\nLiving Off the Land Binaries and Scripts (LOLBAS) remain a stealthy attack method, leveraging native tools to\r\nbypass traditional detection mechanisms. These tactics are particularly challenging for security solutions because\r\nthey exploit trusted system utilities. Proactively identifying threats from these native tools can significantly\r\nenhance resilience. For example, organizations focusing on ransomware readiness assessments can uncover\r\nhidden exposures that LOLBAS might exploit. Similarly, a deeper dive into the trends from the Verizon 2024\r\nDBIR highlights how enhancing visibility into LOLBAS-related activity is critical for modern threat detection and\r\nmitigation strategies. To read more information about how we found these LOLBAS, as well as our proposed\r\nframework for security professionals for finding new LOLBAS, read the complete research paper here.\r\nSource: https://pentera.io/blog/the-lol-isnt-so-funny-when-it-bites-you-in-the-bas/\r\nhttps://pentera.io/blog/the-lol-isnt-so-funny-when-it-bites-you-in-the-bas/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://pentera.io/blog/the-lol-isnt-so-funny-when-it-bites-you-in-the-bas/"
	],
	"report_names": [
		"the-lol-isnt-so-funny-when-it-bites-you-in-the-bas"
	],
	"threat_actors": [],
	"ts_created_at": 1775434404,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25474e991f432f80af981271d3b1aa741709b421.pdf",
		"text": "https://archive.orkl.eu/25474e991f432f80af981271d3b1aa741709b421.txt",
		"img": "https://archive.orkl.eu/25474e991f432f80af981271d3b1aa741709b421.jpg"
	}
}