Agent Foskett Academy • Lesson 106 • Hunting Playbook Series

Hunting Playbook: LOLBins in Microsoft Defender XDR.

The executable was signed. The file was already on the machine. The name looked familiar.

No exploit kit appeared. No strange binary was dropped. No obvious malware filename stood out.

But a trusted Windows tool had launched with unusual arguments, connected to the internet, and created activity that did not match normal administration.

Agent Foskett did not ask whether the binary was legitimate.

He asked whether the behaviour was legitimate.

Agent Foskett Academy lesson hunting LOLBins in Microsoft Defender XDR
Lesson overview

Learn how to hunt for Living Off the Land Binaries by analysing process execution, command-line arguments, parent-child relationships, network activity and suspicious use of trusted Windows tools inside Microsoft Defender XDR.

Identify common LOLBins
Review suspicious command lines
Correlate process and network telemetry
Separate administration from attacker behaviour

Why LOLBins matter

Living Off the Land Binaries are legitimate tools that already exist in Windows environments. Attackers abuse them because they are trusted, signed, familiar and often overlooked during basic alert review.
Trusted tools can still be abusedTools such as rundll32.exe, regsvr32.exe, mshta.exe, certutil.exe and bitsadmin.exe can be used legitimately or maliciously.
The file name is not enoughA signed Microsoft binary is not automatically safe. The investigation begins with the command line, parent process and resulting behaviour.
Context reveals intentDefenders need to ask who launched the tool, from where, with which arguments and what happened immediately afterwards.

The LOLBin hunting workflow

Agent Foskett investigates LOLBins by moving from known binaries to process context, command-line behaviour, network activity and timeline reconstruction.
1. Identify known LOLBinsStart by hunting for commonly abused Windows binaries across the investigation window.
2. Inspect the command lineReview switches, URLs, scripts, DLL names, encoded values, file paths and unusual arguments.
3. Review parent processesDetermine what launched the binary. Office apps, browsers, script hosts and unusual parents increase suspicion.
4. Check network activityPivot into DeviceNetworkEvents to see whether the trusted tool or its child process contacted external infrastructure.
5. Look for file and registry changesCorrelate with file writes, downloads, persistence keys, scheduled tasks and execution artefacts.
6. Build the timelineOrder process, network, file and alert evidence to show what happened before and after the LOLBin ran.

Step 1 — Hunt for common LOLBins

Start broad by finding commonly abused Windows tools across recent endpoint process telemetry.
step-1-hunt-for-common-lolbins.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let TimeFrame = 7d;
let LOLBins = dynamic(["rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "installutil.exe", "msbuild.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (LOLBins)
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine
| order by Timestamp desc

Step 2 — Look for suspicious command-line indicators

LOLBins become more interesting when the command line includes URLs, script execution, encoded content, suspicious file paths or unusual switches.
step-2-look-for-suspicious-command-line-indicators.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
let TimeFrame = 7d;
let LOLBins = dynamic(["rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe"]);
let SuspiciousTerms = dynamic(["http", "https", "javascript", "vbscript", "scrobj", "urlcache", "decode", "download", "temp", "appdata"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (LOLBins)
| where ProcessCommandLine has_any (SuspiciousTerms)
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp desc

Step 3 — Focus on suspicious parent processes

A trusted binary launched by Word, Excel, Outlook, a browser or a script host should be reviewed carefully.
step-3-focus-on-suspicious-parent-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
let TimeFrame = 7d;
let SuspiciousParents = dynamic(["winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "chrome.exe", "msedge.exe", "wscript.exe", "cscript.exe", "powershell.exe"]);
let LOLBins = dynamic(["rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe"]);
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ (LOLBins)
| where InitiatingProcessFileName in~ (SuspiciousParents)
| project Timestamp,
          DeviceName,
          AccountName,
          InitiatingProcessFileName,
          FileName,
          ProcessCommandLine
| order by Timestamp desc

Step 4 — Correlate LOLBins with network activity

If a LOLBin or its child process makes outbound connections, the investigation should pivot into network evidence.
step-4-correlate-lolbins-with-network-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
  29. 29
  30. 30
  31. 31
  32. 32
  33. 33
  34. 34
  35. 35
  36. 36
  37. 37
let TimeFrame = 7d;
let LOLBinActivity =
    DeviceProcessEvents
    | where Timestamp > ago(TimeFrame)
    | where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
    | project ProcessTime = Timestamp,
              DeviceId,
              DeviceName,
              AccountName,
              FileName,
              ProcessCommandLine;
let NetworkActivity =
    DeviceNetworkEvents
    | where Timestamp > ago(TimeFrame)
    | project NetworkTime = Timestamp,
              DeviceId,
              InitiatingProcessFileName,
              RemoteUrl,
              RemoteIP,
              RemotePort;
LOLBinActivity
| join kind=leftouter NetworkActivity on DeviceId
| where NetworkTime between (ProcessTime .. ProcessTime + 30m)
| project ProcessTime,
          NetworkTime,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          RemoteUrl,
          RemoteIP,
          RemotePort
| order by ProcessTime desc

Step 5 — Summarise LOLBin usage by device and account

Summaries help defenders understand scope quickly before diving into individual events.
step-5-summarise-lolbin-usage-by-device-and-account.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let TimeFrame = 14d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe")
| summarize ExecutionCount = count(),
            Accounts = make_set(AccountName, 20),
            Commands = make_set(ProcessCommandLine, 20),
            FirstSeen = min(Timestamp),
            LastSeen = max(Timestamp)
      by DeviceName,
         FileName
| order by ExecutionCount desc

Step 6 — Build the LOLBin investigation timeline

A timeline helps determine whether the trusted binary was part of normal administration or an attacker execution chain.
step-6-build-the-lolbin-investigation-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
let TimeFrame = 7d;
let DeviceToReview = "DEVICE-01";
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where DeviceName =~ DeviceToReview
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
   or InitiatingProcessFileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
| project Timestamp,
          DeviceName,
          AccountName,
          InitiatingProcessFileName,
          FileName,
          ProcessCommandLine
| order by Timestamp asc

Common LOLBin investigation clues

Unexpected parent processOffice applications, browsers, email clients or script hosts launching LOLBins can indicate user-driven execution or phishing activity.
External URLs in command linescertutil.exe, mshta.exe, regsvr32.exe or bitsadmin.exe referencing internet resources should be reviewed carefully.
Execution from user-writable pathsActivity involving Temp, Downloads, AppData or unusual script locations often deserves additional investigation.
Follow-on process creationLook for LOLBins launching PowerShell, cmd.exe, script hosts, archive tools or unusual child processes.
Network activity after executionA trusted Windows tool followed by external connections can reveal download, command-and-control or staging behaviour.
Repeated use across devicesThe same LOLBin pattern appearing on multiple endpoints may indicate a campaign rather than isolated administration.

False positives to consider

Software deployment toolsEnterprise management platforms may use certutil, bitsadmin, rundll32 or msiexec during legitimate deployment activity.
Administrator maintenanceSystem administrators may run trusted binaries for troubleshooting, registration, scripting and configuration tasks.
Vendor installers and updatersLegitimate software installers sometimes invoke Windows tools during installation and repair operations.
Security toolsEDR, vulnerability scanners and configuration management tools may execute or observe LOLBin-like behaviour during scans.

Investigation checklist

Which LOLBin executed?Identify the exact binary and whether that tool is normally used in the environment.
Who launched it?Review the account, device and initiating process that started the activity.
What did the command line do?Inspect arguments, URLs, script references, encoded strings and file paths.
What happened next?Pivot into child processes, network events, file writes and registry changes.
Is there related alert evidence?Check AlertInfo and AlertEvidence for associated Defender XDR detections.
Can the behaviour be explained?Validate whether the activity matches software deployment, administration or known business processes.

Related Agent Foskett Academy lessons

Investigating DeviceProcessEventsUse process telemetry to understand executable activity, command lines and parent-child relationships.
Investigating DeviceNetworkEventsPivot from suspicious process activity into outbound connections, remote URLs and IP addresses.
Hunting Playbook: PowerShell AbuseInvestigate encoded commands, suspicious PowerShell execution and post-compromise behaviour.
Building Reusable Hunting QueriesCreate repeatable hunting workflows for Defender XDR investigations.
Advanced join Techniques in KQLCorrelate process, network and alert evidence across Defender XDR tables.
Using make_set() in KQLSummarise users, devices, commands and remote destinations during investigation scoping.

Coming next

Lesson 107 — Hunting Playbook: Persistence MechanismsNext, Agent Foskett investigates how attackers maintain access using scheduled tasks, registry keys, startup folders, services and other persistence techniques.
Why this mattersLOLBins often appear inside persistence, execution and lateral movement chains. Understanding them prepares defenders for deeper endpoint investigations.

Final thought

A trusted binary is only trusted until its behaviour says otherwise.
Agent Foskett mindsetDo not stop at the file name. Follow the command line, parent process, child process, network activity and timeline.
Hunting Playbook SeriesLesson 106 continues the shift from learning KQL syntax to applying KQL in real Microsoft Defender XDR investigations.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Hunting Playbook LOLBins in Microsoft Defender XDR

Agent Foskett Academy Lesson 106 teaches defenders how to hunt for Living Off the Land Binaries using Microsoft Defender XDR, DeviceProcessEvents, command-line analysis and KQL investigation workflows.

Learn LOLBin hunting with KQL and Microsoft Defender XDR

This lesson explains how defenders investigate rundll32.exe, regsvr32.exe, mshta.exe, certutil.exe, bitsadmin.exe and other trusted Windows tools when they are abused by attackers.

Microsoft Defender XDR LOLBin investigation tutorial

Use process telemetry, parent-child relationships, network evidence, file activity and timelines to distinguish legitimate administration from malicious Living Off the Land activity.