Lolbin — CraftedSignal Threat Feed

AWS EC2 LOLBin Execution via SSM SendCommand

hello@craftedsignal.io — Fri, 10 Apr 2026 16:27:52 +0000

This threat brief focuses on detecting the execution of Living Off the Land Binaries (LOLBins) or GTFOBins on Amazon EC2 instances via AWS Systems Manager (SSM) SendCommand API. The technique involves correlating AWS CloudTrail SendCommand events with endpoint process execution by matching SSM command IDs. While AWS redacts command parameters in CloudTrail logs, this correlation technique reveals the actual commands executed on EC2 instances. This is critical because adversaries may abuse SSM to execute malicious commands remotely without requiring SSH or RDP access. They can leverage legitimate system utilities for various malicious purposes, including data exfiltration, establishing reverse shells, or facilitating lateral movement within the cloud environment. The rule was last updated on 2026-04-10.

Attack Chain

An attacker gains initial access to AWS via compromised credentials or an exposed IAM role.
The attacker uses the AWS CLI or API to initiate an SSM SendCommand to a target EC2 instance. The DocumentName parameter is set to AWS-RunShellScript.
The SSM agent on the EC2 instance receives the SendCommand request.
The SSM agent executes a shell script (_script.sh) within a dedicated directory for orchestration.
The shell script executes a LOLBin, such as curl, wget, python, or perl, to perform malicious actions. The parent process of the LOLBin will be the SSM shell script.
The LOLBin is used to download a malicious payload, establish a reverse shell, or exfiltrate data.
The attacker uses the established reverse shell to perform further actions on the EC2 instance.

Impact

Successful exploitation can lead to unauthorized access to EC2 instances, data exfiltration, deployment of malware, and lateral movement within the AWS environment. Although a number of impacted organizations is not available, this attack is able to bypass traditional network security controls. Organizations in any sector utilizing AWS EC2 instances and SSM are potentially at risk. The lack of required SSH or RDP access makes this technique particularly stealthy.

Recommendation

Enable AWS CloudTrail logging to capture SendCommand events and monitor for AWS-RunShellScript in the request_parameters.
Deploy the Sigma rule “Detect AWS EC2 LOLBin Execution via SSM SendCommand” to your SIEM and tune for your environment.
Monitor endpoint process execution logs for the execution of LOLBins like curl, wget, python, perl, nc, etc., with parent processes related to SSM.
Implement strict IAM policies to restrict SSM SendCommand permissions to only authorized users and roles.
Review and audit existing SSM configurations to identify and remediate any overly permissive settings.

Suspicious Windows Process Cluster from Parent Process via Machine Learning

hello@craftedsignal.io — Tue, 30 Jan 2024 12:00:00 +0000

This alert leverages Elastic’s ProblemChild integration to detect potential Living off the Land (LotL) attacks on Windows systems. The rule utilizes a combination of supervised and unsupervised machine learning models to identify parent processes spawning clusters of suspicious child processes. These child processes are flagged as having unusually high malicious probability scores, suggesting the use of LOLBins or other defense evasion techniques. The detection focuses on identifying groups of processes with the same parent process name where the aggregated malicious score for the cluster is unusually high, as determined by an unsupervised machine learning model. The rule is active as of October 2023, with updates through April 2026 and requires Elastic Stack version 9.4.0 or later.

Attack Chain

An attacker gains initial access to a Windows system through various means.
The attacker leverages a legitimate, signed Windows binary (LOLBin) such as powershell.exe or cmd.exe.
The LOLBin is used to execute malicious code or commands.
The LOLBin spawns one or more child processes that perform malicious actions like reconnaissance or lateral movement.
The ProblemChild supervised ML model flags the child processes as having a high malicious probability score.
The unsupervised ML model calculates an unusually high aggregate score for the cluster of child processes originating from the same parent process.
The detection rule triggers, identifying the suspicious parent-child process relationship.
The attacker achieves their objective, such as data exfiltration or persistence.

Impact

A successful attack using LOLBins can allow adversaries to bypass traditional signature-based detections and operate undetected within a network. The masquerading of malicious activity as legitimate system processes makes it difficult for security teams to identify and respond to threats effectively. The impact can range from data theft and system compromise to ransomware deployment, depending on the attacker’s objectives. The machine learning detection helps analysts to prioritize alerts which may otherwise be missed.

Recommendation

Ensure the Living off the Land (LotL) Attack Detection integration assets are installed within Elastic Security, as described in the “Setup” section of this brief.
Investigate any alerts generated by the “Parent Process Detected with Suspicious Windows Process(es)” rule, focusing on the parent process name and the command-line arguments of the suspicious child processes (reference: Investigation Guide in the rule’s note field).
Tune the anomaly_threshold value (currently 75) in the rule configuration based on your environment’s baseline activity to reduce false positives.
Whitelisting parent process names can mitigate false positives generated by legitimate administrative tools. (reference: False positive analysis in the rule’s note field)
Enable Windows process creation logging via Elastic Defend or Winlogbeat to ensure the rule has the necessary data to function (reference: Setup section).

Suspicious Managed Code Hosting Process

hello@craftedsignal.io — Mon, 29 Jan 2024 12:00:00 +0000

This detection identifies suspicious managed code hosting processes on Windows systems. Attackers may leverage processes like wscript.exe, cscript.exe, mshta.exe, wmic.exe, svchost.exe, dllhost.exe, cmstp.exe, and regsvr32.exe to execute malicious code, often bypassing traditional security controls. These processes can be abused to load and execute .NET assemblies or other managed code components. The detection focuses on identifying unusual file creation events associated with these processes which could indicate an attacker is attempting to leverage these processes for malicious purposes. This activity might be indicative of code injection, defense evasion, or other suspicious code execution techniques. The rule uses EQL to search for file events associated with specific processes.

Attack Chain

An attacker gains initial access to the system through a phishing email or compromised software.
The attacker uses a LOLBin such as mshta.exe or regsvr32.exe to bypass application control.
The LOLBin executes a malicious script or loads a malicious DLL from a user-writable location.
The malicious script or DLL performs reconnaissance activities, such as gathering system information or enumerating network resources.
The attacker then attempts to escalate privileges by exploiting a vulnerability or using stolen credentials.
The attacker uses the compromised process to download and execute additional malware.
The malware establishes persistence on the system through scheduled tasks or registry modifications.
The attacker performs lateral movement within the network, compromising additional systems and exfiltrating sensitive data.

Impact

Successful exploitation can lead to arbitrary code execution, allowing attackers to compromise systems, steal sensitive data, and establish persistence. The use of LOLBins can bypass application control, making detection more challenging. Depending on the scope of the attack, this could result in significant financial losses, reputational damage, and disruption of business operations. This is a high-severity finding due to the potential for attackers to gain full control over affected systems.

Recommendation

Enable Sysmon file creation logging (Event ID 11) to collect the necessary data for this detection.
Deploy the Sigma rule “Suspicious Managed Code Hosting Process” to your SIEM and tune for your environment.
Investigate any alerts generated by this rule, focusing on the file paths, process command lines, and parent processes involved.
Monitor for unexpected file creation events associated with processes like wscript.exe, cscript.exe, and mshta.exe in user-writable directories.
Implement application control policies to restrict the execution of LOLBins and other potentially malicious processes.
Correlate the detection with other security events to identify related malicious activity.

Potential Abuse of Certreq for File Transfer via HTTP POST

hello@craftedsignal.io — Sun, 28 Jan 2024 20:47:00 +0000

The Windows Certreq utility is a command-line tool used for managing certificates. Adversaries may abuse Certreq to download files from or upload data to a remote server by initiating an HTTP POST request. This behavior can be used for command and control (C2) or exfiltration. This technique leverages a legitimate system binary (LOLBin) to evade detection. Elastic has observed this behavior being detected through multiple data sources including Elastic Defend, Microsoft Defender XDR, Sysmon, SentinelOne, and Crowdstrike. This is a cross-industry threat that can affect any organization using Windows.

Attack Chain

An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
The attacker executes Certreq.exe with the -Post argument to initiate an HTTP POST request.
The Certreq process attempts to connect to a remote server to send or receive data.
The remote server responds to the Certreq request, potentially delivering a file or receiving exfiltrated data.
The downloaded file is saved to disk (if applicable).
The attacker may execute the downloaded file or further process the exfiltrated data.
The attacker may attempt to clean up the Certreq command from command history or logs to evade detection.

Impact

Successful exploitation could lead to the download and execution of malicious payloads, potentially compromising the affected system and network. Alternatively, sensitive data could be exfiltrated from the target environment. The impact can range from data theft and system compromise to full network intrusion, depending on the attacker’s objectives and the data accessed. The severity is medium because Certreq is a legitimate tool, and its abuse requires specific command-line arguments and network activity.

Recommendation

Deploy the Sigma rule “Detect Certreq HTTP Post Request” to your SIEM to identify potential abuse of Certreq for file transfer.
Enable Sysmon process creation logging (Event ID 1) to capture the execution of Certreq.exe and its command-line arguments, enabling detections.
Monitor network connections originating from Certreq.exe for unusual destinations or data transfer patterns using network connection logs.
Investigate any instances of Certreq.exe executing with the -Post argument, as this is not typical usage of the utility.

Suspicious Child Processes Spawned by WScript or CScript

hello@craftedsignal.io — Wed, 03 Jan 2024 15:00:00 +0000

This detection identifies suspicious child processes spawned by Windows Script Host (WScript) or CScript. Adversaries commonly leverage WScript and CScript to execute malicious scripts, LOLBINs (Living Off The Land Binaries), and PowerShell, or inject code into suspended processes as a form of defense evasion. While some legitimate scripts may utilize tools detected by this analytic, it serves as a valuable indicator that a script may be executing suspicious code. Notably, the WhisperGate malware and campaigns by FIN7 have employed similar techniques. This activity has been observed since at least 2022, and continues to be relevant for defenders.

Attack Chain

A user (unknowingly or through social engineering) executes a malicious script.
The malicious script is interpreted by either wscript.exe or cscript.exe.
The script executes a LOLBIN such as regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe.
The LOLBIN executes further commands or downloads additional payloads. Certutil.exe may be used to decode and install malicious binaries.
The attacker gains control over the compromised system.
The attacker uses the compromised system as a pivot for lateral movement.
The attacker attempts to escalate privileges and establish persistence.
The attacker may exfiltrate data or deploy ransomware.

Impact

Successful exploitation can lead to complete system compromise, data theft, and potential ransomware deployment. Organizations across various sectors are vulnerable, as this technique is commonly used by both commodity malware and advanced persistent threat (APT) groups. The WhisperGate malware targeting Ukrainian organizations in 2022 demonstrated the destructive potential of this technique.

Recommendation

Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (4688) to capture process execution events necessary for the provided rules.
Deploy the Sigma rule Suspicious Child Processes Spawned by WScript or CScript to your SIEM to detect suspicious child processes. Tune the rule based on your environment’s baseline activity, filtering out any legitimate use cases.
Investigate any alerts generated by this rule, focusing on the parent and child processes involved and the commands executed.
Monitor endpoint logs for unusual or unexpected process executions originating from WScript or CScript.
Block execution of the LOLBINs (regsvr32.exe, rundll32.exe, winhlp32.exe, certutil.exe, msbuild.exe, cmd.exe, powershell.exe, pwsh.exe, wmic.exe, or mshta.exe) if they are not required in your environment.

Suspicious Copy from or to System Directory

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers often copy legitimate operating system binaries (LOLBINs) from standard system directories to evade detection. This technique involves using command-line tools like cmd.exe, powershell.exe, robocopy.exe, or xcopy.exe to move these binaries to different locations on the disk, frequently with modified names. By relocating and renaming LOLBINs, threat actors attempt to bypass security measures that rely on file path or filename-based detection. This technique has been observed in various attack campaigns, including those involving malware delivery and ransomware deployment. This behavior aims to execute malicious operations under the guise of legitimate system processes, complicating forensic analysis and incident response efforts.

Attack Chain

Initial access is achieved through an undisclosed method (e.g., exploitation, phishing).
The attacker gains command execution on the target system.
The attacker uses cmd.exe or powershell.exe to initiate a copy operation.
The command line includes the copy command, copy-item, cp, or cpi to copy a file.
The source file is located within a Windows system directory such as C:\\Windows\\System32, C:\\Windows\\SysWOW64, or C:\\Windows\\WinSxS.
The destination directory is outside the standard system directories.
The copied binary is then executed from the new location.
The attacker uses the LOLBIN to perform further malicious actions, such as downloading payloads or executing arbitrary code.

Impact

Successful execution of this attack allows threat actors to evade traditional security detections by using renamed and relocated LOLBINs. This can lead to the successful execution of malicious payloads, potentially resulting in data theft, system compromise, or ransomware deployment. The impact can range from localized infections to domain-wide ransomware attacks, depending on the attacker’s objectives and the scope of the compromise.

Recommendation

Deploy the Sigma rule “Suspicious Copy From or To System Directory” to your SIEM to detect this behavior and tune for your environment.
Investigate any process_creation events where cmd.exe or powershell.exe is used to copy files from system directories as indicated by the rule and the details in the Attack Chain section.
Monitor for the execution of LOLBINs such as certutil.exe, robocopy.exe, and xcopy.exe from non-standard locations.
Implement application control policies to restrict the execution of unauthorized or relocated binaries.

Regsvr32 Silent and Install Parameter DLL Loading

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on the abuse of regsvr32.exe, a legitimate Microsoft Windows utility, to load and execute malicious DLLs. Attackers, including those using Remote Access Trojans (RATs) like Remcos and njRAT, leverage regsvr32.exe with the /s (silent) parameter and the DLLInstall function call. The activity is observed by analyzing process command-line arguments and parent process details from Endpoint Detection and Response (EDR) agents. This technique allows attackers to bypass application whitelisting and execute arbitrary code, maintain persistence, and compromise the system further. The detection described was published in splunk-escu on 2026-05-04.

Attack Chain

An attacker gains initial access via an unknown vector (e.g., phishing, exploit).
The attacker deploys a malicious DLL on the compromised system.
The attacker executes regsvr32.exe with the /s (silent) parameter and the DLLInstall function, for example: regsvr32.exe /s /i:DLLInstall .
Regsvr32.exe loads the specified DLL.
The DLLInstall function within the DLL executes, performing malicious actions. This could involve installing services, modifying registry keys, or injecting code into other processes.
The attacker establishes persistence through registry modifications or scheduled tasks created by the DLL.
The attacker executes arbitrary commands on the system, potentially installing additional malware or exfiltrating data.
The attacker achieves their final objective, such as data theft, system disruption, or ransomware deployment.

Impact

Successful exploitation can allow attackers to execute arbitrary code, bypass application whitelisting, and establish persistence on compromised systems. This can lead to data theft, system disruption, or ransomware deployment. The affected systems can be remotely controlled by the attacker, enabling further lateral movement within the network.

Recommendation

Deploy the Sigma rule Regsvr32 Silent and Install Param Dll Loading to detect instances of regsvr32.exe being used with the /s and /i parameters.
Enable Sysmon process creation logging (Event ID 1) and Windows Event Log Security Auditing (Event ID 4688) to capture the necessary process and command-line information.
Investigate any instances of regsvr32.exe execution with the silent and DLLInstall parameters, paying close attention to the parent process and the DLL being loaded.
Implement application control policies to restrict the execution of regsvr32.exe or other LOLBins from untrusted locations.

LOLBIN Network Connection for Defense Evasion

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

Attackers may leverage LOLBINs, signed binaries that are part of the operating system, to perform malicious actions while blending in with legitimate system activity. This technique allows them to evade detection by application allowlists and signature validation. This brief focuses on the abuse of expand.exe, extrac32.exe, ieexec.exe, and makecab.exe to initiate outbound network connections. The LOLBINs are used to execute malicious code, download additional payloads, or establish command and control channels. This activity can be indicative of malware installation, data exfiltration, or other malicious post-exploitation activities. Detection is crucial to identify potentially compromised systems and prevent further damage.

Attack Chain

An attacker gains initial access to the target system (e.g., through phishing or exploitation of a vulnerability).
The attacker executes a signed LOLBIN, such as expand.exe, extrac32.exe, ieexec.exe, or makecab.exe.
The LOLBIN is used to download or execute a malicious payload from a remote server.
The executed binary establishes a network connection to an external IP address.
Data exfiltration may occur over the established network connection.
The attacker maintains persistence on the system by scheduling tasks or modifying registry keys.
The attacker moves laterally within the network, compromising additional systems.

Impact

A successful attack leveraging LOLBINs can result in the installation of malware, data theft, or full system compromise. The use of signed binaries makes it more difficult to detect malicious activity, potentially allowing attackers to operate undetected for extended periods. The financial and reputational damage caused by such attacks can be significant. While the risk score is low, the potential for defense evasion justifies monitoring.

Recommendation

Implement the provided Sigma rule Network Connection via Signed Binary to detect suspicious network connections initiated by LOLBINs.
Monitor process execution logs for instances of expand.exe, extrac32.exe, ieexec.exe, and makecab.exe using process creation logging.
Review network connection logs for outbound connections initiated by these processes, excluding connections to internal networks based on the provided list of private IP ranges.
Investigate any detected instances of LOLBINs making external network connections, correlating with other suspicious activities on the affected host, as detailed in the “Triage and analysis” section.

ProblemChild ML Model Detects Unusual Process on Windows Host

hello@craftedsignal.io — Wed, 03 Jan 2024 10:00:00 +0000

This detection leverages the ProblemChild supervised machine learning model to identify unusual Windows processes that may be indicative of defense evasion tactics. The model flags processes that are both statistically unusual for a given host and predicted to be suspicious based on their characteristics. This approach aims to detect Living off the Land (LotL) attacks, where adversaries use legitimate system binaries (LOLbins) to evade traditional signature-based detection methods. The rule specifically targets processes observed on hosts that do not commonly exhibit malicious behavior. The alert requires the Elastic’s Living off the Land (LotL) Attack Detection integration assets to be installed, processing Windows process events collected by Elastic Defend or Winlogbeat. This detection rule was last updated on 2026-04-01 and requires Elastic Stack version 9.4.0 or higher.

Attack Chain

Adversary gains initial access to a Windows system.
The attacker leverages a LOLbin (e.g., powershell.exe, cmd.exe, mshta.exe) to execute malicious commands.
The LOLbin spawns a child process to perform a specific task, such as downloading a file or modifying system settings.
The spawned process exhibits characteristics flagged as suspicious by the ProblemChild ML model.
The suspicious process attempts to evade detection by masquerading as a legitimate system process or by obfuscating its activity.
The attacker uses the process to establish persistence, escalate privileges, or move laterally within the network.
The ultimate objective is to exfiltrate sensitive data, deploy ransomware, or disrupt business operations.

Impact

A successful defense evasion attack can allow adversaries to operate undetected within a network, leading to data breaches, financial losses, and reputational damage. The use of LOLbins makes it difficult to distinguish malicious activity from legitimate system operations. This detection rule aims to reduce the dwell time of attackers by identifying suspicious processes early in the attack chain, even if they are using legitimate tools. False positives may occur due to routine administrative tasks, software updates, or custom scripts.

Recommendation

Ensure that the Living off the Land (LotL) Attack Detection integration is installed and properly configured, as described in the “Setup” section of this brief.
Verify that Windows process events are being collected by Elastic Defend or Winlogbeat, as required by the detection rule.
Deploy the following Sigma rule to detect unusual process spawns and tune the Image|endswith and CommandLine|contains conditions for your specific environment.
Review the investigation guide provided in the rule description to triage and analyze potential false positives.
Adjust the anomaly_threshold (currently 75) in the Elastic detection rule based on your environment’s baseline to reduce noise.
Monitor for MITRE ATT&CK Technique T1218 (System Binary Proxy Execution) to identify potential LOLbin abuse.