This note documents detection patterns related to LOLBIN Abuse within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4688	Process creation	Critical	Core source for LOLBIN launch and arguments.
Sysmon	1	Process creation	Critical	Best execution source with parent lineage and hashes.
Sysmon	3	Network connection	High	Many LOLBINs perform outbound retrieval.
Sysmon	11	File create	High	Payloads written during LOLBIN abuse.
Sysmon	7	Image loaded	Medium	DLL loads support proxy execution chains.
PowerShell	4104	Script block logging	High	Useful when PowerShell launches LOLBINs.
Sysmon	22	DNS query	High	DNS preceding remote LOLBIN activity.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
LOLBIN with remote URL	HTTP/HTTPS path in arguments	Critical	Strong execution abuse signal.
LOLBIN launched by Office/browser	winword, excel, chrome parent	Critical	Very high suspicion.
LOLBIN writes executable	EXE/DLL/script output	Critical	Stage-two indicator.
LOLBIN spawns shell	cmd / powershell child	Critical	Strong multi-stage execution.
Rare LOLBIN usage	Binary uncommon on endpoint	High	Valuable anomaly.
Hidden execution flags	Silent / no UI switches	High	Stealth behavior.

Common Tools

Tool	Usage
certutil.exe	Download / decode
mshta.exe	Remote HTA execution
rundll32.exe	DLL / script proxy execution
regsvr32.exe	Squiblydoo
bitsadmin.exe	Background transfer
installutil.exe	Proxy execution
msiexec.exe	Installer abuse
wmic.exe	Remote execution

Relevant Artifacts

Sysmon Event IDs 1, 3, 7, 11, 22
Security Event ID 4688
PowerShell 4104
Prefetch:
- CERTUTIL.EXE
- MSHTA.EXE
- RUNDLL32.EXE
- REGSVR32.EXE
- BITSADMIN.EXE
Amcache / ShimCache
MFT / USN for payloads
EDR process tree

MITRE ATT&CK References

T1218 Signed Binary Proxy Execution
T1105 Ingress Tool Transfer
T1059 Command and Scripting Interpreter

Decision Tree

Which LOLBIN executed?
- Binary name
- Signed status
Arguments suspicious?
- URL
- Scriptlet
- Encoded content
Parent suspicious?
- Office
- Browser
- Service
Follow-up activity?
- Download
- Child shell
- Persistence
Expand:
- Network
- File creation
- Registry changes
Scope:
- Single LOLBIN
- Chained LOLBINs
- Multi-host pattern

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4688
| where NewProcessName has_any ("certutil.exe","mshta.exe","rundll32.exe","regsvr32.exe","bitsadmin.exe")
| project TimeGenerated, Computer, Account, CommandLine, ParentProcessName

Sysmon
| where EventID == 3
| where Image has_any ("certutil.exe","mshta.exe","rundll32.exe","regsvr32.exe")
| project TimeGenerated, Computer, Image, DestinationIp

EQL

process where process.name in ("certutil.exe","mshta.exe","rundll32.exe","regsvr32.exe","bitsadmin.exe")

sequence by host.name with maxspan=5m
  [ process where process.name in ("mshta.exe","regsvr32.exe") ]
  [ network where process.name in ("mshta.exe","regsvr32.exe") ]

Sigma

title: LOLBIN Abuse Detection
id: 9e3f7d20-lolbin-abuse
status: experimental
description: Detects suspicious signed binary proxy execution
references:
  - https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
  service: security
detection:
  selection:
    NewProcessName|endswith:
      - '\certutil.exe'
      - '\mshta.exe'
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\bitsadmin.exe'
  condition: selection
fields:
  - CommandLine
  - ParentProcessName
falsepositives:
  - Administrative use
level: high
tags:
  - attack.execution
  - attack.t1218

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
AppLocker / WDAC	Restrict risky LOLBINs	Critical	Strong prevention
Parent-child monitoring	Alert on suspicious launch	Critical	High-value detection
Network correlation	Watch LOLBIN outbound traffic	High	Strong staging detection
Command-line retention	Preserve arguments	Critical	Essential for triage
Baseline rare binaries	Know legitimate usage	High	Reduce false positives