Living-off-the-Land (LOTL) verification#

Attackers increasingly avoid malware and instead abuse legitimate binaries already on the system - the technique catalogued in GTFOBins (Unix) and LOLBAS (Windows). Because the tool itself is legitimate, the defender’s question flips from “is this file known-bad?” to:

“Is this certutil.exe / bash / python3 the genuine vendor binary - or a swapped, trojanized copy?”

HashWatch answers that with verified known-good hashes, through two complementary surfaces.

1. Catalogued tools with standalone releases — the dashboard#

Products on the public dashboard whose binaries appear in GTFOBins/LOLBAS carry a LOTL chip - interpreters and dual-use tools such as Python, PowerShell, Node.js, PHP, Perl, Ruby, Vim, Nmap, curl, SQLite, 7-Zip, Git, OpenSSH for Windows, Docker, and kubectl. For these, HashWatch tracks the vendor’s official releases daily, so you can compare a suspect copy’s SHA-256 directly (dashboard, pull feeds, or the hashwatch CLI).

Some interpreters (PHP, Perl, Ruby, curl) only publish first-party binaries for Windows - their macOS/Linux builds ship through OS package managers and are covered by the lookup API below instead.

2. OS-shipped binaries — the lookup API#

Most LOLBAS/GTFOBins entries ship inside the operating system (certutil.exe, mshta.exe, rundll32.exe, wmic.exe, /bin/bash, tar, awk, …). No vendor publishes per-file hashes for these, so they are covered by HashWatch’s BinTrust corpus - the NIST NSRL reference set (~72 million hashes) plus every vendor release HashWatch has ever recorded:

curl -s -X POST https://api.hashwatch.us/api/v1/intel/lookup \
  -H "X-API-Key: $HASHWATCH_API_KEY" -H "Content-Type: application/json" \
  -d '{"hashes":["<sha256-of-the-suspect-binary>"]}'

A known_vendor_release or known_file classification means the binary matches a catalogued legitimate build; unknown means it does not appear in any reference set - treat a supposed OS binary that returns unknown as suspect. Lookup requires a basic API key - see Tiers.

Triage workflow for an IR analyst#

  1. Hash the suspect binary (sha256sum / Get-FileHash, or hashwatch verify <file>).
  2. Catalogued product with a LOTL chip? Compare against the dashboard/feed values.
  3. OS-shipped binary? Use POST /api/v1/intel/lookup against the BinTrust corpus.
  4. A mismatch or unknown on a binary claiming to be an OS/vendor file is a strong tamper/masquerading signal - escalate.