Living-off-the-Land (LOTL) verification#
Attackers increasingly avoid malware and instead abuse legitimate binaries already on the system - the technique catalogued in GTFOBins (Unix) and LOLBAS (Windows). Because the tool itself is legitimate, the defender’s question flips from “is this file known-bad?” to:
“Is this
certutil.exe/bash/python3the genuine vendor binary - or a swapped, trojanized copy?”
HashWatch answers that with verified known-good hashes, through two complementary surfaces.
1. Catalogued tools with standalone releases — the dashboard#
Products on the public dashboard whose binaries appear in
GTFOBins/LOLBAS carry a LOTL chip - interpreters and dual-use tools such as Python,
PowerShell, Node.js, PHP, Perl, Ruby, Vim, Nmap, curl, SQLite, 7-Zip, Git, OpenSSH for
Windows, Docker, and kubectl. For these, HashWatch tracks the vendor’s official releases
daily, so you can compare a suspect copy’s SHA-256 directly (dashboard, pull
feeds, or the
hashwatch CLI).
Some interpreters (PHP, Perl, Ruby, curl) only publish first-party binaries for Windows - their macOS/Linux builds ship through OS package managers and are covered by the lookup API below instead.
2. OS-shipped binaries — the lookup API#
Most LOLBAS/GTFOBins entries ship inside the operating system (certutil.exe, mshta.exe,
rundll32.exe, wmic.exe, /bin/bash, tar, awk, …). No vendor publishes per-file hashes
for these, so they are covered by HashWatch’s BinTrust corpus - the NIST NSRL reference set
(~72 million hashes) plus every vendor release HashWatch has ever recorded:
curl -s -X POST https://api.hashwatch.us/api/v1/intel/lookup \
-H "X-API-Key: $HASHWATCH_API_KEY" -H "Content-Type: application/json" \
-d '{"hashes":["<sha256-of-the-suspect-binary>"]}'A known_vendor_release or known_file classification means the binary matches a catalogued
legitimate build; unknown means it does not appear in any reference set - treat a supposed
OS binary that returns unknown as suspect. Lookup requires a
basic
API key - see Tiers.
Triage workflow for an IR analyst#
- Hash the suspect binary (
sha256sum/Get-FileHash, orhashwatch verify <file>). - Catalogued product with a LOTL chip? Compare against the dashboard/feed values.
- OS-shipped binary? Use
POST /api/v1/intel/lookupagainst the BinTrust corpus. - A mismatch or
unknownon a binary claiming to be an OS/vendor file is a strong tamper/masquerading signal - escalate.