CrowdStrike®️ Falcon OverWatch™️ Elite conducted a thorough analysis of observed interactive intrusion activity spanning a one-year period from July 2021 through June 2022 to determine specifically which LOLBins adversaries are leveraging in the wild. Analysts conducted their research with two goals in mind: 1) gaining a better understanding of today’s adversary, and 2) leveraging that understanding to provide expert threat advisory and tailored hunting — both key features of the Falcon OverWatch Elite service.

This research paper summarizes the result of this analysis and provides a deep dive into eight of the most prevalent LOLBins used by adversaries during this period:

• Rundll32
• Regsvr32
• Msiexec
• Mshta
• Certutil
• MSBuild
• WMI command line utility (WMIC)
• WMI provider host (WmiPrvSe)

Within each section is a detailed description of what the specific LOLBin is, how adversaries use it in the wild, and how threat hunters can hunt for evidence of abuse in their environment. Readers can peruse all of the LOLBins in this paper or simply read the section most relevant to their needs.