LOLbins

Created the Saturday 23 March 2019. Updated 6 months, 2 weeks ago.

A lolbin (short for "Living Off the Land Binaries") is a legitimate Windows utility that can be used by adversaries to execute arbitrary commands. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, the Program Compatibility Assistant (pcalua.exe) and components of the Windows Subsystem for Linux (WSL) are examples of lolbins that can be used for this purpose.

Adversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd.

Technique Identifier

U1004

Technique Tags

lolbin Windows utilities execute commands Program Compatibility Assistant (pcalua.exe) Windows Subsystem for Linux (WSL) Command-Line Interface

Code Snippets

Description

The pcalua.exe utilities is used to execute a malicious PowerShell script (.ps1) .

C:\> pcalua.exe -run "C:\malicious-script.ps1"

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.