Investigating Living Off The Land (LOLBins) in Microsoft Defender XDR.
The binary was signed.
The command line was not normal.
Agent Foskett followed the trusted tool being used for the wrong reason.
Lesson overview
Learn how to investigate Living Off The Land techniques by analysing trusted Windows binaries, suspicious command lines, parent processes, network activity and file evidence in Microsoft Defender XDR.
Why LOLBins matter
The LOLBins investigation workflow
Step 1 — Find commonly abused LOLBins
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "schtasks.exe", "installutil.exe")
| project Timestamp,
DeviceName,
AccountName,
FileName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Step 2 — Review suspicious command-line patterns
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe")
| where ProcessCommandLine has_any ("http", "https", "javascript", "script", "urlcache", "decode", "download", "-enc", "vbscript")
| project Timestamp,
DeviceName,
AccountName,
FileName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Step 3 — Investigate parent processes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "chrome.exe", "msedge.exe", "wscript.exe", "cscript.exe", "powershell.exe")
| project Timestamp,
DeviceName,
AccountName,
FileName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
ProcessCommandLine
| order by Timestamp desc
Step 4 — Correlate LOLBins with network activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
| join kind=inner (
DeviceNetworkEvents
| where Timestamp > ago(24h)
) on DeviceId, InitiatingProcessId
| project ProcessTime = Timestamp,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
RemoteUrl,
RemoteIP,
RemotePort
| order by ProcessTime desc
Step 5 — Find files created after LOLBin execution
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("certutil.exe", "bitsadmin.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe")
| join kind=inner (
DeviceFileEvents
| where Timestamp > ago(24h)
) on DeviceId
| where DeviceFileEvents.Timestamp between (DeviceProcessEvents.Timestamp .. DeviceProcessEvents.Timestamp + 10m)
| project ProcessTime = DeviceProcessEvents.Timestamp,
FileTime = DeviceFileEvents.Timestamp,
DeviceName,
AccountName,
LOLBin = DeviceProcessEvents.FileName,
CreatedFile = DeviceFileEvents.FileName,
FolderPath,
SHA256
| order by FileTime desc
Step 6 — Build the LOLBins timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe")
| project Timestamp,
EventType = "Process",
DeviceName,
AccountName,
Evidence = strcat(FileName, " launched by ", InitiatingProcessFileName),
Detail = ProcessCommandLine
| order by Timestamp asc
How to read the evidence
Real-world investigation
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating Living Off The Land LOLBins in Microsoft Defender XDR
Agent Foskett Academy Lesson 84 teaches defenders how to investigate Living Off The Land techniques in Microsoft Defender XDR.
Defender XDR LOLBins investigation workflow
This lesson explains how DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, rundll32.exe, regsvr32.exe, mshta.exe, certutil.exe, bitsadmin.exe, command lines, parent processes, RemoteUrl, RemoteIP and file hashes help defenders investigate trusted Windows binaries abused by attackers.
