CrowdStrike Falcon OverWatch Insights: 8 LOLBins Every Threat Hunter Should Know

After dissecting a full year’s worth of interactive intrusion data, the CrowdStrike® Falcon OverWatch Elite team has identified the most commonly abused living-off-the-land binaries — and distilled the critical insights that defenders need to know to protect their organizations against the misuse of these binaries. 

In this new CrowdStrike research paper, 8 LOLBins Threat Hunters Should Know, Falcon OverWatch Elite — a tailored threat hunting service built on top of Falcon OverWatch managed hunting — provides defenders tactical and practical threat hunting recommendations on identifying Rundll32, Regsvr32, Msiexec, Mshta, Certutil, MSBuild, WMIC and WmiPrvSe abuse in their environments. These insights and recommendations are paired with real-world examples of how Falcon OverWatch has observed adversaries abuse these LOLBins, empowering defenders with an in-depth analysis of this ever-popular adversarial tradecraft. 

The Dark Side of LOLBins

Adversaries routinely abuse living-off-the-land binaries — or LOLBins, as they’re commonly called — due to their effectiveness in achieving objectives with a small footprint. By definition, LOLBins are installed by default, available to all users, and serve legitimate functions, all of which work in an adversary’s favor to reduce chances of detection.

Because LOLBins are widely adopted by adversaries in their interactive intrusion campaigns, they are an excellent target for threat hunters looking to uncover this activity before impact can be felt.

Falcon OverWatch observes a variety of state-nexus and eCrime adversaries leveraging LOLBins for a variety of functions — including reconnaissance, modifying system configuration, data destruction and execution of malicious code. 

In one example, Falcon OverWatch observed an eCrime adversary using the Mshta binary in activity consistent with hands-on ransomware preparation. The adversary leveraged the inline script functionality of Mshta in an attempt to make changes to the registry. To conceal this activity, the adversary used the unusual command-line argument of resizeTo with the measurements of 0 pixels by 2 pixels to make the Mshta window invisible on the screen.  

Watch this short video to see how Falcon OverWatch proactively hunts for threats in your environment. 

Falcon OverWatch Arms Against LOLBin Abuse

By studying hands-on-keyboard activity to learn exactly how adversaries are using these tools and to what end, defenders can arm themselves and their teams with the insight necessary to combat this type of malicious activity. Falcon OverWatch Elite has done the hard work for you. In the research paper, defenders can find Event Search queries that are readily actionable in the Falcon console for the most prominent, interesting and impactful LOLBins investigated. In addition to those queries, defenders will find tactical threat intelligence on how Falcon OverWatch has observed adversaries leverage LOLBins in the wild and additional threat hunting recommendations broken down by LOLBin.

Proactive threat hunting is fundamental to all security teams looking to uncover the needle-in-the-haystack type of threat that LOLBins pose to all organizations — regardless of size, geographic location or industry. 

This paper also showcases the tailored threat hunting support that is one of the many services offered to Falcon OverWatch Elite customers. Falcon OverWatch Elite’s team of experienced threat response analysts partner with organizations to augment their threat hunting capabilities and provide advisory and query-development support, empowering teams to hunt around areas of concern — including LOLBins.

Additional Resources

Related Content