Learn real-world cyber security skills directly from top industry experts during SANS Live Training events. Explore options.


To attend this webcast, login to your SANS Account or create your Account.

This webcast has been archived. To view the webcast login into your SANS Portal Account or create an account by clicking the "Get Registered" button on the right. Once you register, you can download the presentation slides below.

A Wolf in Sheep's Clothing: Dissecting Living off the Land Techniques

  • Thursday, June 11, 2020 at 10:30 AM EDT (2020-06-11 14:30:00 UTC)
  • Tamas Boczan, Jake Williams


  • VMRay

You can now attend the webcast using your mobile device!



To fulfill the needs of system administrators and power users, for decades Microsoft has been releasing Windows tools which provide high-level command line interfaces to interact with the system: execute scripts, change operating system and user settings, install programs, download or modify files.

Naturally, attackers have also adopted these easy-to-use, Microsoft-provided tools to both make malware development easier, and to bypass security mitigations.

Because such tools aim to provide the widest possible functionality to legitimate users, they often implement unexpected features. With a bit of creativity, these often-half-forgotten features can be used to download files or achieve code execution. Because the tools are signed by Microsoft, they also provide the attacker with a way to execute malicious code with Microsoft-signed binaries without code injection, defeating application whitelisting. The umbrella term for attack techniques using Microsoft-signed tools in such a way is often referred to as Living Off the Land (LOL), and the binaries used in the technique as LOLBINs.

In this webcast:

  •    Learn what LOLBINs are commonly used in the wild by malware,
  •    See real-world examples of interesting LOL techniques,
  •    Understand how to hunt for attacks using the technique and defend against them.

Speaker Bios

Jake Williams

Jake Williams is a SANS analyst, senior SANS instructor, course author and designer of several NetWars challenges for use in SANS' popular, "gamified" information security training suite. Jake spent more than a decade in information security roles at several government agencies, developing specialties in offensive forensics, malware development and digital counterespionage. Jake is the founder of Rendition InfoSec, which provides penetration testing, digital forensics and incident response, expertise in cloud data exfiltration, and the tools and guidance to secure client data against sophisticated, persistent attacks on-premises and in the cloud.

Tamas Boczan

Tamas is a Senior Threat Analyst at VMRay. He is responsible for finding and analyzing relevant malware samples and improving VMRay's detection capabilities. Prior to VMRay, Tamas researched evasive malware and developed a malware analysis sandbox at an Anti-Virus company.

Need Help? Visit our FAQ page or email webcast-support@sans.org.

Not able to attend a SANS webcast? All Webcasts are archived so you may view and listen at a time convenient to your schedule. View our webcast archive and access webcast recordings/PDF slides.