Name: Hunting For Living Off The Land Binaries
Author: mukul975

Hunting for Living-off-the-Land Binaries (LOLBins)

Define Hunt Hypothesis: Formulate a hypothesis based on threat intel (e.g., &quot;Adversaries are using certutil.exe to download second-stage payloads from external domains&quot;).
Identify Target LOLBins: Select specific binaries from the LOLBAS Project database to hunt for, prioritizing those matching current threat landscape (certutil, mshta, rundll32, regsvr32, msiexec, wmic, cmstp, bitsadmin).
Collect Process Telemetry: Query EDR or SIEM for process creation events involving target LOLBins with unusual command-line arguments, parent processes, or execution contexts.
Baseline Normal Behavior: Establish what legitimate usage looks like for each LOLBin in your environment by analyzing historical frequency, typical parent processes, and standard arguments.
Identify Anomalies: Compare current telemetry against baselines, flagging executions with network connections, encoded commands, unusual file paths, or abnormal parent-child process chains.
Correlate and Enrich: Cross-reference anomalous LOLBin activity with network logs, DNS queries, file creation events, and threat intelligence feeds.
Document and Report: Record findings, update detection rules, and create IOC lists for identified malicious LOLBin usage.

When to Use

Access to EDR telemetry (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne)
SIEM with process creation logs (Sysmon Event ID 1, Windows Security 4688)
Familiarity with LOLBAS Project (lolbas-project.github.io) reference list
PowerShell command-line logging enabled (Module Logging, Script Block Logging)
Network proxy or firewall logs for correlating outbound connections

Access to EDR telemetry (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne)
SIEM with process creation logs (Sysmon Event ID 1, Windows Security 4688)
Familiarity with LOLBAS Project (lolbas-project.github.io) reference list
PowerShell command-line logging enabled (Module Logging, Script Block Logging)
Network proxy or firewall logs for correlating outbound connections

Concept	Description
LOLBin	Legitimate OS binary abused by attackers for malicious purposes
LOLBAS Project	Community-curated list of Windows LOLBins, LOLLibs, and LOLScripts
T1218	MITRE ATT&CK - Signed Binary Proxy Execution
T1218.001	Compiled HTML File (mshta.exe)
T1218.002	Control Panel (control.exe)
T1218.003	CMSTP
T1218.005	Mshta
T1218.010	Regsvr32
T1218.011	Rundll32
T1197	BITS Jobs (bitsadmin.exe)
T1140	Deobfuscate/Decode Files (certutil.exe)
Proxy Execution	Using trusted binaries to execute untrusted code
Fileless Attack	Attack that operates primarily in memory without dropping files

Tool	Purpose
CrowdStrike Falcon	EDR telemetry and process tree analysis
Microsoft Defender for Endpoint	Advanced hunting with KQL queries
Splunk	SIEM log aggregation and SPL queries
Elastic Security	Detection rules and timeline investigation
Sysmon	Detailed process creation and network logging
LOLBAS Project	Reference database of LOLBin capabilities
Sigma Rules	Generic detection rule format for LOLBins
Velociraptor	Endpoint forensic collection and hunting