During an internal penetration test, you notice a threat actor using the built-in Windows tools "certutil.exe" and "rundll32.exe" to download and execute malicious code. No antivirus alerts were generated because both binaries are digitally signed by Microsoft and are commonly used by system administrators.
Which attack technique BEST describes the adversary's use of these trusted system executables to evade detection?
The technique is known as leveraging living-off-the-land binaries (LOLBins). Instead of introducing new malware, the attacker repurposes legitimate, signed utilities that the operating system and security controls inherently trust. Because these binaries blend in with normal administrative activity, signature-based or reputation-based defenses often overlook the malicious behavior. DLL sideloading, zero-day exploitation, and watering-hole attacks involve different mechanisms and do not rely on executing payloads through trusted native utilities.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are Living-off-the-land binaries (LOLBins)?
Open an interactive chat with Bash
How does certutil.exe help attackers in evading security tools?
Open an interactive chat with Bash
Why is rundll32.exe commonly misused by attackers?