{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lolbas/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike","SentinelOne Cloud Funnel","Sysmon","Windows Security Event Logs"],"_cs_severities":["medium"],"_cs_tags":["lolbas","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne","Elastic"],"content_html":"\u003cp\u003eThe Windows command line debugging utility, cdb.exe, is a legitimate tool used for debugging applications. However, adversaries can exploit it to execute unauthorized commands or shellcode, bypassing security measures. This can be achieved by running cdb.exe from non-standard installation paths and using specific command-line arguments to execute malicious commands. The LOLBAS project documents this technique, highlighting its potential for defense evasion. This activity has been observed across various environments, necessitating detection strategies that focus on identifying anomalous executions of cdb.exe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker copies cdb.exe to a non-standard location (outside \u0026ldquo;Program Files\u0026rdquo; and \u0026ldquo;Program Files (x86)\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe attacker executes cdb.exe with the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, or \u003ccode\u003e-pd\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eThese arguments are used to specify a command file or execute a direct command.\u003c/li\u003e\n\u003cli\u003eThe command file or command directly executes malicious code, such as shellcode.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs actions such as creating new processes, modifying files, or establishing network connections.\u003c/li\u003e\n\u003cli\u003eThese actions allow the attacker to maintain persistence or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe ultimate goal is to evade defenses and execute arbitrary code on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows adversaries to execute arbitrary commands and shellcode on the affected system, potentially leading to complete system compromise. This can result in data theft, installation of malware, or further propagation within the network. The technique is effective at bypassing application whitelisting and other security controls that rely on standard execution paths.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Execution via Windows Command Debugging Utility\u0026rdquo; to your SIEM to detect suspicious cdb.exe executions (see rules section).\u003c/li\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to provide the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent execution of cdb.exe from non-standard paths.\u003c/li\u003e\n\u003cli\u003eMonitor process command lines for the \u003ccode\u003e-cf\u003c/code\u003e, \u003ccode\u003e-c\u003c/code\u003e, and \u003ccode\u003e-pd\u003c/code\u003e flags when cdb.exe is executed.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of cdb.exe running from unusual directories to determine legitimacy.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2024-07-cdb-execution/","summary":"Adversaries can abuse the Windows command line debugging utility cdb.exe to execute commands or shellcode from non-standard paths, evading traditional security measures.","title":"Suspicious Execution via Windows Command Debugging Utility","url":"https://feed.craftedsignal.io/briefs/2024-07-cdb-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Auto Update Client"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","execution","lolbas","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers are abusing the Windows Update Auto Update Client (wuauclt.exe) to execute arbitrary code by loading malicious DLLs. This technique allows malicious actors to evade defenses by masquerading their activity as legitimate Windows processes. The abuse involves using specific command-line arguments with wuauclt.exe to load a DLL from a user-writable directory. This behavior has been observed in various attacks aimed at evading traditional security measures. This is an effective defense evasion and execution technique, allowing attackers to execute code while blending in with normal system processes, potentially bypassing application control and other security mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through an unrelated method.\u003c/li\u003e\n\u003cli\u003eThe attacker places a malicious DLL in a directory writable by standard users, such as \u003ccode\u003eC:\\Users\\\u0026lt;username\u0026gt;\\\u003c/code\u003e, \u003ccode\u003eC:\\ProgramData\\\u003c/code\u003e, \u003ccode\u003eC:\\Windows\\Temp\\\u003c/code\u003e, or \u003ccode\u003eC:\\Windows\\Tasks\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewuauclt.exe\u003c/code\u003e with the arguments \u003ccode\u003e/RunHandlerComServer\u003c/code\u003e and \u003ccode\u003e/UpdateDeploymentProvider\u003c/code\u003e along with the path to the malicious DLL. For example: \u003ccode\u003ewuauclt.exe /RunHandlerComServer /UpdateDeploymentProvider /dll:\u0026lt;path_to_malicious_dll\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ewuauclt.exe\u003c/code\u003e loads the specified malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the \u003ccode\u003ewuauclt.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe malicious code performs its intended actions, such as establishing persistence, communicating with a C2 server, or escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may then use the compromised system as a foothold for lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within a trusted Windows process, potentially bypassing security controls and making detection more difficult. While specific victim counts are unavailable, this technique can be used in targeted attacks against organizations where defense evasion is a priority for the adversary. Successful execution can lead to complete system compromise, data theft, or further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eImageLoad via Windows Update Auto Update Client\u003c/code\u003e to detect the execution of \u003ccode\u003ewuauclt.exe\u003c/code\u003e with suspicious arguments.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003ewuauclt.exe\u003c/code\u003e with the arguments \u003ccode\u003e/RunHandlerComServer\u003c/code\u003e and \u003ccode\u003e/UpdateDeploymentProvider\u003c/code\u003e, focusing on DLL paths in user-writable directories.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation and image-load logging to improve visibility into this type of attack.\u003c/li\u003e\n\u003cli\u003eAudit DLLs loaded by \u003ccode\u003ewuauclt.exe\u003c/code\u003e and investigate any unsigned or unexpected DLLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-04T12:00:00Z","date_published":"2024-01-04T12:00:00Z","id":"/briefs/2024-01-wuauclt-dll-load/","summary":"The Windows Update Auto Update Client (wuauclt.exe) is being abused to load arbitrary DLLs, a defense evasion technique where malicious activity blends with legitimate Windows software by using specific process arguments and placing DLLs in writable paths.","title":"Abuse of Windows Update Client for DLL Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-wuauclt-dll-load/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["low"],"_cs_tags":["execution","defense-evasion","windows","ping","lolbas"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. This delayed execution is often observed during malware installation and is consistent with an attacker attempting to evade detection. The adversary uses \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument from within a \u003ccode\u003ecmd.exe\u003c/code\u003e shell, and the parent process is running under a user context other than SYSTEM. The subsequent process is \u003ccode\u003ecmd.exe\u003c/code\u003e invoking a known malicious utility, such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, or an executable from the user\u0026rsquo;s AppData directory without a valid code signature. This behavior is often observed during malware installation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with an initial access vector (not specified in source).\u003c/li\u003e\n\u003cli\u003eThe adversary executes \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ecmd.exe\u003c/code\u003e spawns \u003ccode\u003eping.exe\u003c/code\u003e with the \u003ccode\u003e-n\u003c/code\u003e argument to introduce a delay, typically to evade detection (\u003ccode\u003eping.exe -n [number] 127.0.0.1\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAfter the delay introduced by \u003ccode\u003eping.exe\u003c/code\u003e, the same \u003ccode\u003ecmd.exe\u003c/code\u003e process executes a potentially malicious utility such as \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, or \u003ccode\u003eregsvr32.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, \u003ccode\u003ecmd.exe\u003c/code\u003e might execute a binary located within the user\u0026rsquo;s AppData directory that lacks a valid code signature.\u003c/li\u003e\n\u003cli\u003eThe malicious utility executes arbitrary commands or scripts, potentially downloading further payloads or modifying system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system, enabling further malicious activities such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to malware installation, system compromise, and data theft. While the source does not quantify the number of victims or specific sectors targeted, a successful compromise can lead to significant operational disruption and data breaches. The use of delayed execution makes it more difficult for traditional security solutions to detect malicious activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Delayed Execution via Ping\u0026rdquo; to your SIEM to detect the execution of commonly abused Windows utilities via a delayed Ping execution.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring with command-line argument logging to capture the execution of \u003ccode\u003eping.exe\u003c/code\u003e and subsequent processes for analysis.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the rule.\u003c/li\u003e\n\u003cli\u003eReview and tune the provided Sigma rule, including the listed exclusions, to reduce false positives in your specific environment.\u003c/li\u003e\n\u003cli\u003eMonitor process execution from unusual locations like the AppData directory, especially for unsigned executables, as indicated in the rule\u0026rsquo;s detection logic.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:00:00Z","date_published":"2024-01-02T14:00:00Z","id":"/briefs/2024-01-delayed-execution-via-ping/","summary":"Adversaries may use ping to delay execution of malicious commands, scripts, or binaries to evade detection, often observed during malware installation.","title":"Windows Delayed Execution via Ping Followed by Malicious Utilities","url":"https://feed.craftedsignal.io/briefs/2024-01-delayed-execution-via-ping/"}],"language":"en","title":"CraftedSignal Threat Feed — Lolbas","version":"https://jsonfeed.org/version/1.1"}