"Living off the Land" binaries (LoLBins) are legitimate binaries that are already present on a system and can be abused by attackers to perform malicious activities without needing to introduce external tools. On Windows, these are typically executable files, scripts, and system utilities that can be leveraged to execute commands, escalate privileges, or perform other actions typically associated with malware.

To find LoLBins on a Windows system, you can search for system binaries, tools, and scripts that are commonly used for malicious purposes. Below are some steps and techniques to identify and list these binaries:

1. Identifying Common LoLBins

Some common categories of LoLBins include:

2. Listing Binaries

You can use several methods to list known binaries that could be used as LoLBins. Here's how you can search for potential LoLBins on a Windows machine:

A. Using dir to Find Common Binaries

You can use dir to search for known LoLBins in directories like System32, SysWow64, and other common locations where executables reside.

dir C:\\Windows\\System32\\*.exe /s /b
dir C:\\Windows\\SysWow64\\*.exe /s /b
dir C:\\Windows\\*.exe /s /b

Look for executables that are often abused as LoLBins.

B. Using where to Find Executables in the PATH

The where command can help you list executables present in directories included in the system's PATH. This is useful because malicious actors might use these tools to perform malicious actions.

where /r C:\\ cmd.exe
where /r C:\\ powershell.exe
where /r C:\\ mshta.exe
where /r C:\\ regsvr32.exe
where /r C:\\ wmic.exe
where /r C:\\ schtasks.exe

You can use where to search for specific LoLBins that might be used by attackers (e.g., mshta.exe, regsvr32.exe, bitsadmin.exe, cmd.exe, powershell.exe, etc.).

C. Using PowerShell to Identify LoLBins