Which example illustrates the use of a LOLbin to evade detection while moving laterally within a Windows environment?

• A. Using net.exe to add a new user account to the local administrators group and then connecting to another system.
• B. Executing a custom malware binary downloaded from the internet.
• C. Running a third-party exploitation framework directly from memory without disk I/O.
• D. Creating a new firewall rule to block logins.

Answer: (A)

Living off the land binaries are built-in Windows tools attackers reuse to blend in and avoid detections that look for unfamiliar programs. Using net.exe to spawn or manage a local user account is a classic example. net.exe is a legitimate system utility, so creating a new local administrator account with it leverages trusted tooling to gain high privileges on the compromised host. Once those privileges are in place, the attacker can authenticate to another system and move laterally, often using the same built-in capabilities to establish connections or execute remote actions. This combination—a trusted, preinstalled tool plus privilege escalation on one host to enable access to others—demonstrates how LOLBins facilitate stealthy traversal through a Windows environment. The other options describe actions that don’t leverage a built-in Windows tool for lateral movement (external malware, in-memory frameworks, or defensive changes), so they don’t illustrate LOLBin-based evasion and lateral movement in the same way.