Agent Foskett Academy • Lesson 84 • Advanced Defender XDR Investigation

Investigating Living Off The Land (LOLBins) in Microsoft Defender XDR.

The binary was signed.

The command line was not normal.

Agent Foskett followed the trusted tool being used for the wrong reason.

Agent Foskett Academy lesson investigating Living Off The Land LOLBins in Microsoft Defender XDR
Lesson overview

Learn how to investigate Living Off The Land techniques by analysing trusted Windows binaries, suspicious command lines, parent processes, network activity and file evidence in Microsoft Defender XDR.

Start with DeviceProcessEvents
Identify suspicious LOLBins
Review parent processes and command lines
Correlate network and file activity

Why LOLBins matter

Living Off The Land techniques abuse legitimate tools already present on Windows devices. The file name may look trusted, but the behaviour tells a different story.
Trusted binaries can be abusedAttackers use signed Microsoft tools such as rundll32.exe, mshta.exe, regsvr32.exe, certutil.exe and bitsadmin.exe to blend in with normal activity.
Command lines reveal intentThe executable may be legitimate, but unusual switches, remote URLs, scripts, encoded content or suspicious arguments can expose malicious behaviour.
Context is everythingParent process, account, device, network destination and file creation evidence help determine whether the binary was used for administration or attack activity.

The LOLBins investigation workflow

Agent Foskett starts with trusted binaries, then follows the process chain to understand why they executed and what they did next.
1. Which trusted binary executed?Search for commonly abused Windows binaries in DeviceProcessEvents.
2. Who launched it?Identify the account, device and initiating process responsible for execution.
3. Was the parent process suspicious?Look for Office, browsers, script hosts or unusual parent-child process relationships.
4. Did the command line contain URLs?Find downloads, remote scripts, proxy execution and unusual switches.
5. Did it contact the Internet?Correlate process activity with outbound network connections.
6. Did it create files?Review downloaded payloads, scripts, DLLs, archives and temporary files.
7. Was it part of a larger chain?Connect LOLBin execution with PowerShell, persistence, credential theft or lateral movement.
8. Can the behaviour be explained?Separate legitimate administration from attacker tradecraft using timeline and context.

Step 1 — Find commonly abused LOLBins

Start with DeviceProcessEvents and search for trusted Windows binaries frequently abused by attackers.
step-1-find-lolbins.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "schtasks.exe", "installutil.exe")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          InitiatingProcessFileName,
          ProcessCommandLine
| order by Timestamp desc

Step 2 — Review suspicious command-line patterns

Look for remote URLs, script execution, encoded content, download behaviour and unusual switches.
step-2-suspicious-command-lines.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe")
| where ProcessCommandLine has_any ("http", "https", "javascript", "script", "urlcache", "decode", "download", "-enc", "vbscript")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          InitiatingProcessFileName,
          ProcessCommandLine
| order by Timestamp desc

Step 3 — Investigate parent processes

A trusted binary launched by Word, Excel, Outlook, a browser or another script host may indicate suspicious execution.
step-3-parent-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "outlook.exe", "chrome.exe", "msedge.exe", "wscript.exe", "cscript.exe", "powershell.exe")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          InitiatingProcessFileName,
          InitiatingProcessCommandLine,
          ProcessCommandLine
| order by Timestamp desc

Step 4 — Correlate LOLBins with network activity

If the binary downloaded content or reached out to external infrastructure, DeviceNetworkEvents can show where it connected.
step-4-network-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(24h)
) on DeviceId, InitiatingProcessId
| project ProcessTime = Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          RemoteUrl,
          RemoteIP,
          RemotePort
| order by ProcessTime desc

Step 5 — Find files created after LOLBin execution

Review file creation shortly after trusted binary abuse to identify payloads, scripts, DLLs or dropped tools.
step-5-file-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("certutil.exe", "bitsadmin.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe")
| join kind=inner (
    DeviceFileEvents
    | where Timestamp > ago(24h)
) on DeviceId
| where DeviceFileEvents.Timestamp between (DeviceProcessEvents.Timestamp .. DeviceProcessEvents.Timestamp + 10m)
| project ProcessTime = DeviceProcessEvents.Timestamp,
          FileTime = DeviceFileEvents.Timestamp,
          DeviceName,
          AccountName,
          LOLBin = DeviceProcessEvents.FileName,
          CreatedFile = DeviceFileEvents.FileName,
          FolderPath,
          SHA256
| order by FileTime desc

Step 6 — Build the LOLBins timeline

Place process, parent process, network and file evidence into a timeline so the behaviour can be explained clearly.
step-6-lolbins-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe")
| project Timestamp,
          EventType = "Process",
          DeviceName,
          AccountName,
          Evidence = strcat(FileName, " launched by ", InitiatingProcessFileName),
          Detail = ProcessCommandLine
| order by Timestamp asc

How to read the evidence

A LOLBin investigation depends on context. The same binary can be normal on one device and suspicious on another.
The binary is not enoughDo not assume a trusted executable is safe. Review the command line, parent process and account context.
Parent process mattersOffice or browser processes launching LOLBins can indicate phishing, drive-by download behaviour or document-based execution.
Network activity changes the storyA signed binary contacting unknown infrastructure may point to download, staging or command-and-control behaviour.
Files close the loopDropped scripts, DLLs, archives or executables can show what the trusted binary helped deliver.

Real-world investigation

The alertA Defender alert highlights regsvr32.exe executing with an unusual command line on a user workstation.
The parent processDeviceProcessEvents shows Outlook launched the chain after the user opened an attachment.
The trusted binaryregsvr32.exe executed remotely hosted script content rather than a normal local DLL registration task.
The outbound connectionDeviceNetworkEvents shows the device contacted an unfamiliar external domain shortly after execution.
The file evidenceDeviceFileEvents records a script and DLL written into a temporary folder after the connection.
The conclusionThe investigation confirms a trusted Windows binary was abused for malicious execution and payload staging.

Investigation checklist

Trusted binary identifiedConfirm which LOLBin executed and whether that binary is normally used on the device.
Command line reviewedCheck arguments, URLs, encoded content, script references and unusual switches.
Parent process checkedIdentify the process that launched the binary and decide whether the relationship makes sense.
Account context confirmedReview whether the account is a user, admin, service account or compromised identity.
Network activity correlatedCheck RemoteUrl, RemoteIP, ports and timing after execution.
Files inspectedReview created files, hashes, folders and initiating process details.
Timeline completedDocument how the trusted binary was used and what happened immediately before and after.

Related Agent Foskett Academy lessons

Investigating PowerShell AttacksReview encoded commands, suspicious execution and parent process evidence.
Investigating Lateral MovementTrack attacker movement across devices, accounts and remote connections.
Investigating Ransomware BehaviourInvestigate mass file activity, suspicious processes and endpoint impact.
Correlating EmailEvents with DeviceProcessEventsDetermine what executed after suspicious email activity.
Correlating DeviceProcessEvents with DeviceNetworkEventsConnect process execution with outbound network activity.
Building a Complete Phishing InvestigationFollow email, click, process, network and file evidence through a complete investigation.

Coming next

Lesson 85 turns the evidence into a structured device timeline.
Lesson 85 — Building a Device TimelineNext, Agent Foskett combines process, file, network and logon activity into a clear endpoint timeline defenders can explain and act on.
Why this mattersLOLBins are rarely isolated. A device timeline helps prove what launched, what changed, what connected and what happened next.

Final thought

A trusted file name is not the same as trusted behaviour.
Agent Foskett mindsetDo not stop because the binary is signed. Follow the command line, parent process, network connection and files created afterwards.
The command line told the storyWhen attackers live off the land, the evidence is often hiding in plain sight.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating Living Off The Land LOLBins in Microsoft Defender XDR

Agent Foskett Academy Lesson 84 teaches defenders how to investigate Living Off The Land techniques in Microsoft Defender XDR.

Defender XDR LOLBins investigation workflow

This lesson explains how DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, rundll32.exe, regsvr32.exe, mshta.exe, certutil.exe, bitsadmin.exe, command lines, parent processes, RemoteUrl, RemoteIP and file hashes help defenders investigate trusted Windows binaries abused by attackers.