hunting-for-lolbins-execution-in-endpoint-logs

# Hunting for LOLBins Execution in Endpoint Logs ## When to Use - When hunting for fileless attack techniques that abuse built-in Windows binaries - After threat intelligence indicates LOLBin-based campaigns targeting your industry - When investigating alerts for suspicious use of certutil, mshta, rundll32, or regsvr32 - During purple team exercises testing detection of defense evasion techniques - When assessing endpoint detection coverage for MITRE ATT&CK T1218 sub-techniques ## Prerequisites - Sysmon Event ID 1 (Process Creation) with full command-line logging - Windows Security Event ID 4688 with command-line auditing enabled - EDR telemetry with parent-child process relationships - SIEM platform for query and correlation (Splunk, Elastic, Microsoft Sentinel) - LOLBAS project reference (lolbas-project.github.io) for known abuse patterns ## Workflow 1. **Build LOLBin Watchlist**: Compile a list of high-risk LOLBins from the LOLBAS project, prioritizing: certutil.exe, mshta.exe, rundll32.exe, regsvr32.exe, msbuild.exe, installutil.exe, cmstp.exe, wmic.exe, wscript.exe, cscript.exe, bitsadmin.exe, and powershell.exe. 2. **Baseline Normal Usage**: Establish what normal LOLBin usage looks like in your environment by profiling command-line arguments, parent processes, and user contexts for each binary over 30 days. 3. **Hunt for Anomalous Arguments**: Search for LOLBins executed with unusual command-line arguments indicating abuse -- certutil with `-urlcache -decode -enco...