{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lolbin/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["aws","ec2","ssm","lolbin","execution","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on detecting the execution of Living Off the Land Binaries (LOLBins) or GTFOBins on Amazon EC2 instances via AWS Systems Manager (SSM) \u003ccode\u003eSendCommand\u003c/code\u003e API. The technique involves correlating AWS CloudTrail \u003ccode\u003eSendCommand\u003c/code\u003e events with endpoint process execution by matching SSM command IDs. While AWS redacts command parameters in CloudTrail logs, this correlation technique reveals the actual commands executed on EC2 instances. This is critical because adversaries may abuse SSM to execute malicious commands remotely without requiring SSH or RDP access. They can leverage legitimate system utilities for various malicious purposes, including data exfiltration, establishing reverse shells, or facilitating lateral movement within the cloud environment. The rule was last updated on 2026-04-10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to AWS via compromised credentials or an exposed IAM role.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the AWS CLI or API to initiate an SSM \u003ccode\u003eSendCommand\u003c/code\u003e to a target EC2 instance. The \u003ccode\u003eDocumentName\u003c/code\u003e parameter is set to \u003ccode\u003eAWS-RunShellScript\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe SSM agent on the EC2 instance receives the \u003ccode\u003eSendCommand\u003c/code\u003e request.\u003c/li\u003e\n\u003cli\u003eThe SSM agent executes a shell script (\u003ccode\u003e_script.sh\u003c/code\u003e) within a dedicated directory for orchestration.\u003c/li\u003e\n\u003cli\u003eThe shell script executes a LOLBin, such as \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, or \u003ccode\u003eperl\u003c/code\u003e, to perform malicious actions. The parent process of the LOLBin will be the SSM shell script.\u003c/li\u003e\n\u003cli\u003eThe LOLBin is used to download a malicious payload, establish a reverse shell, or exfiltrate data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the established reverse shell to perform further actions on the EC2 instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to EC2 instances, data exfiltration, deployment of malware, and lateral movement within the AWS environment. Although a number of impacted organizations is not available, this attack is able to bypass traditional network security controls. Organizations in any sector utilizing AWS EC2 instances and SSM are potentially at risk. The lack of required SSH or RDP access makes this technique particularly stealthy.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable AWS CloudTrail logging to capture \u003ccode\u003eSendCommand\u003c/code\u003e events and monitor for \u003ccode\u003eAWS-RunShellScript\u003c/code\u003e in the \u003ccode\u003erequest_parameters\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AWS EC2 LOLBin Execution via SSM SendCommand\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint process execution logs for the execution of LOLBins like \u003ccode\u003ecurl\u003c/code\u003e, \u003ccode\u003ewget\u003c/code\u003e, \u003ccode\u003epython\u003c/code\u003e, \u003ccode\u003eperl\u003c/code\u003e, \u003ccode\u003enc\u003c/code\u003e, etc., with parent processes related to SSM.\u003c/li\u003e\n\u003cli\u003eImplement strict IAM policies to restrict SSM \u003ccode\u003eSendCommand\u003c/code\u003e permissions to only authorized users and roles.\u003c/li\u003e\n\u003cli\u003eReview and audit existing SSM configurations to identify and remediate any overly permissive settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T16:27:52Z","date_published":"2026-04-10T16:27:52Z","id":"/briefs/2024-01-03-aws-ec2-lolbin-ssm/","summary":"Detection of Living Off the Land Binaries (LOLBins) or GTFOBins execution on EC2 instances via AWS Systems Manager (SSM) SendCommand API, potentially indicating malicious activity.","title":"AWS EC2 LOLBin Execution via SSM SendCommand","url":"https://feed.craftedsignal.io/briefs/2024-01-03-aws-ec2-lolbin-ssm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lolbin","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis alert leverages Elastic\u0026rsquo;s ProblemChild integration to detect potential Living off the Land (LotL) attacks on Windows systems. The rule utilizes a combination of supervised and unsupervised machine learning models to identify parent processes spawning clusters of suspicious child processes. These child processes are flagged as having unusually high malicious probability scores, suggesting the use of LOLBins or other defense evasion techniques. The detection focuses on identifying groups of processes with the same parent process name where the aggregated malicious score for the cluster is unusually high, as determined by an unsupervised machine learning model. The rule is active as of October 2023, with updates through April 2026 and requires Elastic Stack version 9.4.0 or later.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a legitimate, signed Windows binary (LOLBin) such as \u003ccode\u003epowershell.exe\u003c/code\u003e or \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLBin is used to execute malicious code or commands.\u003c/li\u003e\n\u003cli\u003eThe LOLBin spawns one or more child processes that perform malicious actions like reconnaissance or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe ProblemChild supervised ML model flags the child processes as having a high malicious probability score.\u003c/li\u003e\n\u003cli\u003eThe unsupervised ML model calculates an unusually high aggregate score for the cluster of child processes originating from the same parent process.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers, identifying the suspicious parent-child process relationship.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using LOLBins can allow adversaries to bypass traditional signature-based detections and operate undetected within a network. The masquerading of malicious activity as legitimate system processes makes it difficult for security teams to identify and respond to threats effectively. The impact can range from data theft and system compromise to ransomware deployment, depending on the attacker\u0026rsquo;s objectives. The machine learning detection helps analysts to prioritize alerts which may otherwise be missed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure the Living off the Land (LotL) Attack Detection integration assets are installed within Elastic Security, as described in the \u0026ldquo;Setup\u0026rdquo; section of this brief.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;Parent Process Detected with Suspicious Windows Process(es)\u0026rdquo; rule, focusing on the parent process name and the command-line arguments of the suspicious child processes (reference: Investigation Guide in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field).\u003c/li\u003e\n\u003cli\u003eTune the \u003ccode\u003eanomaly_threshold\u003c/code\u003e value (currently 75) in the rule configuration based on your environment\u0026rsquo;s baseline activity to reduce false positives.\u003c/li\u003e\n\u003cli\u003eWhitelisting parent process names can mitigate false positives generated by legitimate administrative tools. (reference: False positive analysis in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field)\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging via Elastic Defend or Winlogbeat to ensure the rule has the necessary data to function (reference: Setup section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-suspicious-parent-process/","summary":"A machine learning model detected a parent process spawning a cluster of suspicious Windows processes with high malicious probability scores, potentially indicating LOLBins usage and defense evasion.","title":"Suspicious Windows Process Cluster from Parent Process via Machine Learning","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-parent-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Elastic Endgame","Sysmon Event ID 11 - File Create"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","windows","managed code","lolbin"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eThis detection identifies suspicious managed code hosting processes on Windows systems. Attackers may leverage processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, \u003ccode\u003esvchost.exe\u003c/code\u003e, \u003ccode\u003edllhost.exe\u003c/code\u003e, \u003ccode\u003ecmstp.exe\u003c/code\u003e, and \u003ccode\u003eregsvr32.exe\u003c/code\u003e to execute malicious code, often bypassing traditional security controls. These processes can be abused to load and execute .NET assemblies or other managed code components. The detection focuses on identifying unusual file creation events associated with these processes which could indicate an attacker is attempting to leverage these processes for malicious purposes. This activity might be indicative of code injection, defense evasion, or other suspicious code execution techniques. The rule uses EQL to search for file events associated with specific processes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system through a phishing email or compromised software.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a LOLBin such as \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003eregsvr32.exe\u003c/code\u003e to bypass application control.\u003c/li\u003e\n\u003cli\u003eThe LOLBin executes a malicious script or loads a malicious DLL from a user-writable location.\u003c/li\u003e\n\u003cli\u003eThe malicious script or DLL performs reconnaissance activities, such as gathering system information or enumerating network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker then attempts to escalate privileges by exploiting a vulnerability or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised process to download and execute additional malware.\u003c/li\u003e\n\u003cli\u003eThe malware establishes persistence on the system through scheduled tasks or registry modifications.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network, compromising additional systems and exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal sensitive data, and establish persistence. The use of LOLBins can bypass application control, making detection more challenging. Depending on the scope of the attack, this could result in significant financial losses, reputational damage, and disruption of business operations. This is a high-severity finding due to the potential for attackers to gain full control over affected systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon file creation logging (Event ID 11) to collect the necessary data for this detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Managed Code Hosting Process\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the file paths, process command lines, and parent processes involved.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected file creation events associated with processes like \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, and \u003ccode\u003emshta.exe\u003c/code\u003e in user-writable directories.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of LOLBins and other potentially malicious processes.\u003c/li\u003e\n\u003cli\u003eCorrelate the detection with other security events to identify related malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"/briefs/2024-01-29-suspicious-managedcode-hosting/","summary":"This rule detects suspicious managed code hosting processes on Windows systems, potentially indicating code injection or defense evasion tactics by monitoring file events associated with processes commonly used to host managed code, such as wscript.exe, cscript.exe, and mshta.exe.","title":"Suspicious Managed Code Hosting Process","url":"https://feed.craftedsignal.io/briefs/2024-01-29-suspicious-managedcode-hosting/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Sysmon Event ID 1 - Process Creation","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["lolbin","command-and-control","exfiltration","certreq"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe Windows Certreq utility is a command-line tool used for managing certificates. Adversaries may abuse Certreq to download files from or upload data to a remote server by initiating an HTTP POST request. This behavior can be used for command and control (C2) or exfiltration. This technique leverages a legitimate system binary (LOLBin) to evade detection. Elastic has observed this behavior being detected through multiple data sources including Elastic Defend, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike. This is a cross-industry threat that can affect any organization using Windows.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes Certreq.exe with the \u003ccode\u003e-Post\u003c/code\u003e argument to initiate an HTTP POST request.\u003c/li\u003e\n\u003cli\u003eThe Certreq process attempts to connect to a remote server to send or receive data.\u003c/li\u003e\n\u003cli\u003eThe remote server responds to the Certreq request, potentially delivering a file or receiving exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe downloaded file is saved to disk (if applicable).\u003c/li\u003e\n\u003cli\u003eThe attacker may execute the downloaded file or further process the exfiltrated data.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to clean up the Certreq command from command history or logs to evade detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation could lead to the download and execution of malicious payloads, potentially compromising the affected system and network. Alternatively, sensitive data could be exfiltrated from the target environment. The impact can range from data theft and system compromise to full network intrusion, depending on the attacker\u0026rsquo;s objectives and the data accessed. The severity is medium because Certreq is a legitimate tool, and its abuse requires specific command-line arguments and network activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Certreq HTTP Post Request\u0026rdquo; to your SIEM to identify potential abuse of Certreq for file transfer.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to capture the execution of Certreq.exe and its command-line arguments, enabling detections.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from Certreq.exe for unusual destinations or data transfer patterns using network connection logs.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of Certreq.exe executing with the \u003ccode\u003e-Post\u003c/code\u003e argument, as this is not typical usage of the utility.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T20:47:00Z","date_published":"2024-01-28T20:47:00Z","id":"/briefs/2024-01-certreq-post/","summary":"Adversaries may abuse the Windows Certreq utility to download files or upload data to a remote URL by making an HTTP POST request, potentially for command and control or exfiltration, which can be detected by monitoring process execution events.","title":"Potential Abuse of Certreq for File Transfer via HTTP POST","url":"https://feed.craftedsignal.io/briefs/2024-01-certreq-post/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["wscript","cscript","lolbin","malware","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection identifies suspicious child processes spawned by Windows Script Host (WScript) or CScript. Adversaries commonly leverage WScript and CScript to execute malicious scripts, LOLBINs (Living Off The Land Binaries), and PowerShell, or inject code into suspended processes as a form of defense evasion. While some legitimate scripts may utilize tools detected by this analytic, it serves as a valuable indicator that a script may be executing suspicious code. Notably, the WhisperGate malware and campaigns by FIN7 have employed similar techniques. This activity has been observed since at least 2022, and continues to be relevant for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user (unknowingly or through social engineering) executes a malicious script.\u003c/li\u003e\n\u003cli\u003eThe malicious script is interpreted by either \u003ccode\u003ewscript.exe\u003c/code\u003e or \u003ccode\u003ecscript.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script executes a LOLBIN such as \u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ewinhlp32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003emsbuild.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLBIN executes further commands or downloads additional payloads. \u003ccode\u003eCertutil.exe\u003c/code\u003e may be used to decode and install malicious binaries.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a pivot for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to escalate privileges and establish persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across various sectors are vulnerable, as this technique is commonly used by both commodity malware and advanced persistent threat (APT) groups. The WhisperGate malware targeting Ukrainian organizations in 2022 demonstrated the destructive potential of this technique.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (4688) to capture process execution events necessary for the provided rules.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Child Processes Spawned by WScript or CScript\u003c/code\u003e to your SIEM to detect suspicious child processes. Tune the rule based on your environment\u0026rsquo;s baseline activity, filtering out any legitimate use cases.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the parent and child processes involved and the commands executed.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint logs for unusual or unexpected process executions originating from WScript or CScript.\u003c/li\u003e\n\u003cli\u003eBlock execution of the LOLBINs (\u003ccode\u003eregsvr32.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003ewinhlp32.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003emsbuild.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e, \u003ccode\u003ewmic.exe\u003c/code\u003e, or \u003ccode\u003emshta.exe\u003c/code\u003e) if they are not required in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"/briefs/2024-01-03-wscript-cscript-suspicious-child-process/","summary":"Detects suspicious processes spawned by WScript or CScript, a common technique used by adversaries to execute LOLBINs, PowerShell, or inject code into suspended processes for defense evasion.","title":"Suspicious Child Processes Spawned by WScript or CScript","url":"https://feed.craftedsignal.io/briefs/2024-01-03-wscript-cscript-suspicious-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lolbin","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers often copy legitimate operating system binaries (LOLBINs) from standard system directories to evade detection. This technique involves using command-line tools like \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003erobocopy.exe\u003c/code\u003e, or \u003ccode\u003excopy.exe\u003c/code\u003e to move these binaries to different locations on the disk, frequently with modified names. By relocating and renaming LOLBINs, threat actors attempt to bypass security measures that rely on file path or filename-based detection. This technique has been observed in various attack campaigns, including those involving malware delivery and ransomware deployment. This behavior aims to execute malicious operations under the guise of legitimate system processes, complicating forensic analysis and incident response efforts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access is achieved through an undisclosed method (e.g., exploitation, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker gains command execution on the target system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e to initiate a copy operation.\u003c/li\u003e\n\u003cli\u003eThe command line includes the \u003ccode\u003ecopy\u003c/code\u003e command, \u003ccode\u003ecopy-item\u003c/code\u003e, \u003ccode\u003ecp\u003c/code\u003e, or \u003ccode\u003ecpi\u003c/code\u003e to copy a file.\u003c/li\u003e\n\u003cli\u003eThe source file is located within a Windows system directory such as \u003ccode\u003eC:\\\\Windows\\\\System32\u003c/code\u003e, \u003ccode\u003eC:\\\\Windows\\\\SysWOW64\u003c/code\u003e, or \u003ccode\u003eC:\\\\Windows\\\\WinSxS\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe destination directory is outside the standard system directories.\u003c/li\u003e\n\u003cli\u003eThe copied binary is then executed from the new location.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the LOLBIN to perform further malicious actions, such as downloading payloads or executing arbitrary code.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of this attack allows threat actors to evade traditional security detections by using renamed and relocated LOLBINs. This can lead to the successful execution of malicious payloads, potentially resulting in data theft, system compromise, or ransomware deployment. The impact can range from localized infections to domain-wide ransomware attacks, depending on the attacker\u0026rsquo;s objectives and the scope of the compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Suspicious Copy From or To System Directory\u0026rdquo; to your SIEM to detect this behavior and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any \u003ccode\u003eprocess_creation\u003c/code\u003e events where \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e is used to copy files from system directories as indicated by the rule and the details in the Attack Chain section.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of LOLBINs such as \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003erobocopy.exe\u003c/code\u003e, and \u003ccode\u003excopy.exe\u003c/code\u003e from non-standard locations.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or relocated binaries.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-susp-copy-system-dir/","summary":"This threat involves the suspicious copying of files from or to Windows system directories (System32, SysWOW64, WinSxS) using command-line tools, often employed by attackers to relocate LOLBINs for defense evasion.","title":"Suspicious Copy from or to System Directory","url":"https://feed.craftedsignal.io/briefs/2024-01-03-susp-copy-system-dir/"},{"_cs_actors":["Remcos","njRAT"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["lolbin","dll-loading","regsvr32"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the abuse of \u003ccode\u003eregsvr32.exe\u003c/code\u003e, a legitimate Microsoft Windows utility, to load and execute malicious DLLs. Attackers, including those using Remote Access Trojans (RATs) like Remcos and njRAT, leverage \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e/s\u003c/code\u003e (silent) parameter and the \u003ccode\u003eDLLInstall\u003c/code\u003e function call. The activity is observed by analyzing process command-line arguments and parent process details from Endpoint Detection and Response (EDR) agents. This technique allows attackers to bypass application whitelisting and execute arbitrary code, maintain persistence, and compromise the system further. The detection described was published in splunk-escu on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unknown vector (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious DLL on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003eregsvr32.exe\u003c/code\u003e with the \u003ccode\u003e/s\u003c/code\u003e (silent) parameter and the \u003ccode\u003eDLLInstall\u003c/code\u003e function, for example: \u003ccode\u003eregsvr32.exe /s /i:DLLInstall \u0026lt;malicious_dll_path\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eRegsvr32.exe\u003c/code\u003e loads the specified DLL.\u003c/li\u003e\n\u003cli\u003eThe DLLInstall function within the DLL executes, performing malicious actions. This could involve installing services, modifying registry keys, or injecting code into other processes.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence through registry modifications or scheduled tasks created by the DLL.\u003c/li\u003e\n\u003cli\u003eThe attacker executes arbitrary commands on the system, potentially installing additional malware or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can allow attackers to execute arbitrary code, bypass application whitelisting, and establish persistence on compromised systems. This can lead to data theft, system disruption, or ransomware deployment. The affected systems can be remotely controlled by the attacker, enabling further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eRegsvr32 Silent and Install Param Dll Loading\u003c/code\u003e to detect instances of \u003ccode\u003eregsvr32.exe\u003c/code\u003e being used with the \u003ccode\u003e/s\u003c/code\u003e and \u003ccode\u003e/i\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (Event ID 4688) to capture the necessary process and command-line information.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eregsvr32.exe\u003c/code\u003e execution with the silent and DLLInstall parameters, paying close attention to the parent process and the DLL being loaded.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of \u003ccode\u003eregsvr32.exe\u003c/code\u003e or other LOLBins from untrusted locations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-regsvr32-dll-loading/","summary":"Detection of regsvr32.exe being used with the silent and DLL install parameter to load a DLL, a technique used by RATs like Remcos and njRAT to execute arbitrary code.","title":"Regsvr32 Silent and Install Parameter DLL Loading","url":"https://feed.craftedsignal.io/briefs/2024-01-03-regsvr32-dll-loading/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Sysmon"],"_cs_severities":["low"],"_cs_tags":["lolbin","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAttackers may leverage LOLBINs, signed binaries that are part of the operating system, to perform malicious actions while blending in with legitimate system activity. This technique allows them to evade detection by application allowlists and signature validation. This brief focuses on the abuse of expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to initiate outbound network connections. The LOLBINs are used to execute malicious code, download additional payloads, or establish command and control channels. This activity can be indicative of malware installation, data exfiltration, or other malicious post-exploitation activities. Detection is crucial to identify potentially compromised systems and prevent further damage.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system (e.g., through phishing or exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a signed LOLBIN, such as \u003ccode\u003eexpand.exe\u003c/code\u003e, \u003ccode\u003eextrac32.exe\u003c/code\u003e, \u003ccode\u003eieexec.exe\u003c/code\u003e, or \u003ccode\u003emakecab.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe LOLBIN is used to download or execute a malicious payload from a remote server.\u003c/li\u003e\n\u003cli\u003eThe executed binary establishes a network connection to an external IP address.\u003c/li\u003e\n\u003cli\u003eData exfiltration may occur over the established network connection.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system by scheduling tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging LOLBINs can result in the installation of malware, data theft, or full system compromise. The use of signed binaries makes it more difficult to detect malicious activity, potentially allowing attackers to operate undetected for extended periods. The financial and reputational damage caused by such attacks can be significant. While the risk score is low, the potential for defense evasion justifies monitoring.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eNetwork Connection via Signed Binary\u003c/code\u003e to detect suspicious network connections initiated by LOLBINs.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for instances of \u003ccode\u003eexpand.exe\u003c/code\u003e, \u003ccode\u003eextrac32.exe\u003c/code\u003e, \u003ccode\u003eieexec.exe\u003c/code\u003e, and \u003ccode\u003emakecab.exe\u003c/code\u003e using process creation logging.\u003c/li\u003e\n\u003cli\u003eReview network connection logs for outbound connections initiated by these processes, excluding connections to internal networks based on the provided list of private IP ranges.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of LOLBINs making external network connections, correlating with other suspicious activities on the affected host, as detailed in the \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-lolbin-network-connection/","summary":"Adversaries can use Living-Off-The-Land Binaries (LOLBINs) such as expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to establish network connections, potentially bypassing security controls and facilitating malicious activities on Windows systems.","title":"LOLBIN Network Connection for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-lolbin-network-connection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["defense-evasion","lolbin","windows","machine-learning"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection leverages the ProblemChild supervised machine learning model to identify unusual Windows processes that may be indicative of defense evasion tactics. The model flags processes that are both statistically unusual for a given host and predicted to be suspicious based on their characteristics. This approach aims to detect Living off the Land (LotL) attacks, where adversaries use legitimate system binaries (LOLbins) to evade traditional signature-based detection methods. The rule specifically targets processes observed on hosts that do not commonly exhibit malicious behavior. The alert requires the Elastic\u0026rsquo;s Living off the Land (LotL) Attack Detection integration assets to be installed, processing Windows process events collected by Elastic Defend or Winlogbeat. This detection rule was last updated on 2026-04-01 and requires Elastic Stack version 9.4.0 or higher.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAdversary gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a LOLbin (e.g., \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e) to execute malicious commands.\u003c/li\u003e\n\u003cli\u003eThe LOLbin spawns a child process to perform a specific task, such as downloading a file or modifying system settings.\u003c/li\u003e\n\u003cli\u003eThe spawned process exhibits characteristics flagged as suspicious by the ProblemChild ML model.\u003c/li\u003e\n\u003cli\u003eThe suspicious process attempts to evade detection by masquerading as a legitimate system process or by obfuscating its activity.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the process to establish persistence, escalate privileges, or move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe ultimate objective is to exfiltrate sensitive data, deploy ransomware, or disrupt business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful defense evasion attack can allow adversaries to operate undetected within a network, leading to data breaches, financial losses, and reputational damage. The use of LOLbins makes it difficult to distinguish malicious activity from legitimate system operations. This detection rule aims to reduce the dwell time of attackers by identifying suspicious processes early in the attack chain, even if they are using legitimate tools. False positives may occur due to routine administrative tasks, software updates, or custom scripts.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure that the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as described in the \u0026ldquo;Setup\u0026rdquo; section of this brief.\u003c/li\u003e\n\u003cli\u003eVerify that Windows process events are being collected by Elastic Defend or Winlogbeat, as required by the detection rule.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect unusual process spawns and tune the \u003ccode\u003eImage|endswith\u003c/code\u003e and \u003ccode\u003eCommandLine|contains\u003c/code\u003e conditions for your specific environment.\u003c/li\u003e\n\u003cli\u003eReview the investigation guide provided in the rule description to triage and analyze potential false positives.\u003c/li\u003e\n\u003cli\u003eAdjust the \u003ccode\u003eanomaly_threshold\u003c/code\u003e (currently 75) in the Elastic detection rule based on your environment\u0026rsquo;s baseline to reduce noise.\u003c/li\u003e\n\u003cli\u003eMonitor for MITRE ATT\u0026amp;CK Technique T1218 (System Binary Proxy Execution) to identify potential LOLbin abuse.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-problemchild-rare-process/","summary":"The ProblemChild machine learning model detected a rare Windows process indicative of defense evasion, potentially involving LOLbins, on a host not commonly associated with malicious activity.","title":"ProblemChild ML Model Detects Unusual Process on Windows Host","url":"https://feed.craftedsignal.io/briefs/2024-01-03-problemchild-rare-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Lolbin","version":"https://jsonfeed.org/version/1.1"}