To fulfill the needs of system administrators and power users, for decades Microsoft has been releasing Windows tools which provide high-level command line interfaces to interact with the system: execute scripts, change operating system and user settings, install programs, download or modify files.
Naturally, attackers have also adopted these easy-to-use, Microsoft-provided tools to both make malware development easier, and to bypass security mitigations.
Because such tools aim to provide the widest possible functionality to legitimate users, they often implement unexpected features. With a bit of creativity, these often-half-forgotten features can be used to download files or achieve code execution. Because the tools are signed by Microsoft, they also provide the attacker with a way to execute malicious code with Microsoft-signed binaries without code injection, defeating application whitelisting. The umbrella term for attack techniques using Microsoft-signed tools in such a way is often referred to as 'living Off the Land ' (LOL), and the binaries used in the technique as LOLBINs.
In this webcast: