Lolbas — CraftedSignal Threat Feed

Suspicious Execution via Windows Command Debugging Utility

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

The Windows command line debugging utility, cdb.exe, is a legitimate tool used for debugging applications. However, adversaries can exploit it to execute unauthorized commands or shellcode, bypassing security measures. This can be achieved by running cdb.exe from non-standard installation paths and using specific command-line arguments to execute malicious commands. The LOLBAS project documents this technique, highlighting its potential for defense evasion. This activity has been observed across various environments, necessitating detection strategies that focus on identifying anomalous executions of cdb.exe.

Attack Chain

An attacker gains initial access to a Windows system.
The attacker copies cdb.exe to a non-standard location (outside “Program Files” and “Program Files (x86)”).
The attacker executes cdb.exe with the -cf, -c, or -pd command-line arguments.
These arguments are used to specify a command file or execute a direct command.
The command file or command directly executes malicious code, such as shellcode.
The malicious code performs actions such as creating new processes, modifying files, or establishing network connections.
These actions allow the attacker to maintain persistence or escalate privileges.
The ultimate goal is to evade defenses and execute arbitrary code on the system.

Impact

Successful exploitation allows adversaries to execute arbitrary commands and shellcode on the affected system, potentially leading to complete system compromise. This can result in data theft, installation of malware, or further propagation within the network. The technique is effective at bypassing application whitelisting and other security controls that rely on standard execution paths.

Recommendation

Deploy the Sigma rule “Execution via Windows Command Debugging Utility” to your SIEM to detect suspicious cdb.exe executions (see rules section).
Enable process creation logging via Sysmon or Windows Security Event Logs to provide the necessary data for the Sigma rule.
Implement application whitelisting to prevent execution of cdb.exe from non-standard paths.
Monitor process command lines for the -cf, -c, and -pd flags when cdb.exe is executed.
Investigate any instances of cdb.exe running from unusual directories to determine legitimacy.

Abuse of Windows Update Client for DLL Loading

hello@craftedsignal.io — Thu, 04 Jan 2024 12:00:00 +0000

Attackers are abusing the Windows Update Auto Update Client (wuauclt.exe) to execute arbitrary code by loading malicious DLLs. This technique allows malicious actors to evade defenses by masquerading their activity as legitimate Windows processes. The abuse involves using specific command-line arguments with wuauclt.exe to load a DLL from a user-writable directory. This behavior has been observed in various attacks aimed at evading traditional security measures. This is an effective defense evasion and execution technique, allowing attackers to execute code while blending in with normal system processes, potentially bypassing application control and other security mechanisms.

Attack Chain

An attacker gains initial access to the system through an unrelated method.
The attacker places a malicious DLL in a directory writable by standard users, such as C:\Users\\, C:\ProgramData\, C:\Windows\Temp\, or C:\Windows\Tasks\.
The attacker executes wuauclt.exe with the arguments /RunHandlerComServer and /UpdateDeploymentProvider along with the path to the malicious DLL. For example: wuauclt.exe /RunHandlerComServer /UpdateDeploymentProvider /dll:.
wuauclt.exe loads the specified malicious DLL.
The malicious DLL executes arbitrary code within the context of the wuauclt.exe process.
The malicious code performs its intended actions, such as establishing persistence, communicating with a C2 server, or escalating privileges.
The attacker may then use the compromised system as a foothold for lateral movement within the network.

Impact

Successful exploitation allows attackers to execute arbitrary code within a trusted Windows process, potentially bypassing security controls and making detection more difficult. While specific victim counts are unavailable, this technique can be used in targeted attacks against organizations where defense evasion is a priority for the adversary. Successful execution can lead to complete system compromise, data theft, or further malicious activities.

Recommendation

Deploy the Sigma rule ImageLoad via Windows Update Auto Update Client to detect the execution of wuauclt.exe with suspicious arguments.
Monitor process creation events for wuauclt.exe with the arguments /RunHandlerComServer and /UpdateDeploymentProvider, focusing on DLL paths in user-writable directories.
Enable Sysmon process-creation and image-load logging to improve visibility into this type of attack.
Audit DLLs loaded by wuauclt.exe and investigate any unsigned or unexpected DLLs.

Windows Delayed Execution via Ping Followed by Malicious Utilities

hello@craftedsignal.io — Tue, 02 Jan 2024 14:00:00 +0000

Attackers may use ping to introduce pauses, allowing them to execute harmful scripts or binaries stealthily. This delayed execution is often observed during malware installation and is consistent with an attacker attempting to evade detection. The adversary uses ping.exe with the -n argument from within a cmd.exe shell, and the parent process is running under a user context other than SYSTEM. The subsequent process is cmd.exe invoking a known malicious utility, such as powershell.exe, mshta.exe, rundll32.exe, or an executable from the user’s AppData directory without a valid code signature. This behavior is often observed during malware installation.

Attack Chain

The attack begins with an initial access vector (not specified in source).
The adversary executes cmd.exe.
cmd.exe spawns ping.exe with the -n argument to introduce a delay, typically to evade detection (ping.exe -n [number] 127.0.0.1).
After the delay introduced by ping.exe, the same cmd.exe process executes a potentially malicious utility such as powershell.exe, mshta.exe, rundll32.exe, certutil.exe, or regsvr32.exe.
Alternatively, cmd.exe might execute a binary located within the user’s AppData directory that lacks a valid code signature.
The malicious utility executes arbitrary commands or scripts, potentially downloading further payloads or modifying system configurations.
The attacker gains a foothold on the system, enabling further malicious activities such as lateral movement or data exfiltration.

Impact

A successful attack can lead to malware installation, system compromise, and data theft. While the source does not quantify the number of victims or specific sectors targeted, a successful compromise can lead to significant operational disruption and data breaches. The use of delayed execution makes it more difficult for traditional security solutions to detect malicious activity.

Recommendation

Deploy the Sigma rule “Delayed Execution via Ping” to your SIEM to detect the execution of commonly abused Windows utilities via a delayed Ping execution.
Enable process monitoring with command-line argument logging to capture the execution of ping.exe and subsequent processes for analysis.
Implement application whitelisting to prevent unauthorized execution of scripts and binaries, focusing on the utilities identified in the rule.
Review and tune the provided Sigma rule, including the listed exclusions, to reduce false positives in your specific environment.
Monitor process execution from unusual locations like the AppData directory, especially for unsigned executables, as indicated in the rule’s detection logic.