LOLBAS Detection
Living off the Land Binaries and Scripts (LOLBAS) refers to legitimate Windows binaries that attackers abuse to execute code, download payloads, evade detection, and persist on systems. Because these binaries are signed by Microsoft and present on every Windows installation, they bypass application allowlisting, antivirus signature matching, and many trust-based controls. LOLBAS detection is one of the highest-value additions to a Sysmon configuration.
ICS Watch Dog provides LOLBAS detection in three tiers, balancing high-signal coverage with the false positive sensitivity of OT environments.
Why LOLBAS Detection Matters in OT
OT environments are particularly vulnerable to LOLBAS abuse for three reasons:
- Application allowlisting often relies on signed binaries. AppLocker and similar controls trust Microsoft-signed binaries by default, so a LOLBAS technique using
certutilorregsvr32sails through allowlisting that would block a custom malware binary. - OT systems should have very predictable process activity. An HMI or engineering workstation does not need to run
mshta http://,powershell -encodedcommand, orwmic /node: process call create. When these patterns appear, they almost certainly indicate intrusion. - Recent OT incidents involved LOLBAS. The 2021 Oldsmar water treatment plant incident, the 2024 ConnectWise ScreenConnect mass exploitation, and many ransomware affiliates targeting industrial environments all use LOLBAS as part of their initial access and lateral movement chains.
The Three-Tier Strategy
LOLBAS detection in ICS Watch Dog is organized into three tiers based on signal-to-noise ratio. Higher tiers add broader coverage at the cost of more potential false positives. Each tier opts users in further as they mature their monitoring program.
| Tier | Where it lives | Rule count | False positive expectation |
|---|---|---|---|
| Tier 1 -- Core | Inline RuleGroup in all 8 curated configs | ~17 composite Rules | Near zero. Each rule scoped by command-line pattern. |
| Tier 2 -- Advanced | Inline RuleGroup in 5 advanced configs (jumphost, server-ad, server-services, enhanced-ot, advanced-ot) | ~22 rules (mix of composite and binary-only) | Low to moderate. Some legitimate admin uses possible. |
| Tier 3 -- Comprehensive | Opt-in modules in sysmon-configs/modules/lolbas/ |
13 modules, 153 rules total | Moderate. Sigma-level coverage requires environment-specific tuning. |
How Tiers Build on Each Other
The three baseline configs (baseline-it-workstation, baseline-it-server, baseline-ot) ship with Tier 1 only. Their false positive profile is protected for environments that prioritize stability over detection breadth.
The five advanced configs ship with Tier 1 plus Tier 2. These configs (jump host, AD/DC, database/web servers, OT enhanced/advanced) assume the operator has a mature tuning program and accepts moderate noise in exchange for broader detection.
Advanced users can additionally merge Tier 3 modules into any base config using the module library to add Sigma-level coverage of specific LOLBAS technique families.
Tier 1: Core LOLBAS Detection (All Configs)
Twelve detections implemented as ~17 composite Rules. Each rule uses <Rule groupRelation="and"> with binary + command-line pattern matching to minimize false positives. Every match warrants investigation.
| Detection | ATT&CK | What it catches |
|---|---|---|
certutil -urlcache | T1105 / T1140 | certutil downloading a file from a URL. No legitimate OT use. |
certutil -decode | T1140 | certutil decoding a base64-staged payload. |
mshta http(s):// | T1218.005 / T1105 | mshta loading a remote HTML application over HTTP. |
regsvr32 /i:http | T1218.010 | Squiblydoo remote COM scriptlet load. |
bitsadmin /transfer | T1197 / T1105 | BITS file transfer download. Replaced by PowerShell BITS module in modern admin work. |
PowerShell -encodedcommand or -enc | T1059.001 / T1027 | Encoded PowerShell command. Covers powershell.exe, pwsh.exe, and powershell_ise.exe. |
PowerShell DownloadString | T1059.001 / T1105 | Net.WebClient.DownloadString stager pattern. Covers all 3 PowerShell binaries. |
PowerShell IEX(New-Object or Invoke-Expression(New-Object | T1059.001 | In-memory PowerShell execution cradle. Covers all 3 PowerShell binaries. |
WMIC /format:http or format:"http | T1220 | XSL script processing remote stylesheet. |
WMIC /node: or process call create | T1047 / T1021.003 | WMIC remote process execution lateral movement. |
rundll32 javascript: | T1218.011 / T1059.007 | Rundll32 JavaScript URL handler abuse. |
msdt.exe PCWDiagnostic or ms-msdt: | T1218 | Follina exploit pattern (CVE-2022-30190). |
Tier 2: Advanced LOLBAS Detection (5 Configs)
Twenty additional detections in 22 XML rules added to jumphost, server-ad, server-services, enhanced-ot, and advanced-ot. Tier 2 broadens coverage with binary-only detections and additional command-line patterns.
| Detection | ATT&CK | What it catches |
|---|---|---|
certutil -encode | T1132 / T1027 | Base64 encode for exfiltration staging. |
mshta vbscript: / javascript: | T1218.005 | Inline mshta script execution without remote URL. |
Generic mshta.exe | T1218.005 | Any mshta.exe execution (binary-only detection). |
Generic bitsadmin.exe | T1197 | Any bitsadmin.exe execution (binary-only detection). |
PowerShell -w hidden -nop combo | T1059.001 / T1564.003 | Stealth PowerShell launcher pattern. |
PowerShell -ep bypass | T1059.001 / T1562.001 | Execution policy bypass. |
PowerShell from AppData\Local\Temp\ | T1059.001 / T1564.001 | PowerShell binary copied to user temp directory. |
InstallUtil /U | T1218.004 | InstallUtil uninstall mode (Squiblytwo). |
regasm.exe / regsvcs.exe | T1218.009 | .NET utility execution. |
msxsl.exe | T1220 | Standalone XSL transformation utility. |
cmstp /au / /s | T1218.003 | Connection Manager profile install abuse. |
wuauclt /UpdateDeploymentProvider | T1218 | Windows Update client DLL sideload. |
Generic msbuild.exe | T1127.001 | MSBuild execution (tune for Visual Studio install paths). |
csc.exe parented by PowerShell or cmd | T1027.004 | C# compile-after-delivery from a shell parent. |
mavinject.exe | T1055.001 | App-V DLL injection utility. |
pcalua.exe | T1218 | Program Compatibility Assistant proxy. |
forfiles with cmd in /c | T1059.003 / T1218 | forfiles process execution proxy. |
finger.exe | T1105 | Legacy finger client used as exfil/download channel. |
Tier 3: Comprehensive LOLBAS Modules
13 opt-in modules in sysmon-configs/modules/lolbas/ providing Sigma-level coverage organized by ATT&CK technique family. Use the merge tool to combine these modules with a base curated config.
| Module | Rules | ATT&CK Focus |
|---|---|---|
include_signed_binary_proxy.xml | 25 | T1218 family comprehensive (mshta, regsvr32, rundll32, cmstp, msiexec, odbcconf, control, dfsvc, gpscript, ie4uinit, mmc, msconfig, pcwrun, presentationhost, rasautou, runonce, verclsid, xwizard) |
include_powershell_offensive.xml | 15 | T1059.001 offensive patterns: triple stealth flag combo, FromBase64String, Reflection.Assembly Load, TCPClient reverse shell, Invoke-Mimikatz/Kerberoast/BloodHound, double-IEX, Set-MpPreference, web cradles, string concatenation evasion |
include_wmic_abuse.xml | 10 | T1047 / T1021.003 / T1220 / discovery (process call create, /node:, XSL processing, qfe, computersystem, useraccount, group, service, startup) |
include_certutil_abuse.xml | 8 | All certutil abuse modes (urlcache, decode, encode, decodehex, encodehex, ping, verifyctl, addstore root) |
include_bitsadmin_abuse.xml | 6 | T1197 BITS abuse (transfer, addfile, setnotifycmdline, setminretrydelay, create, resume) |
include_script_host_abuse.xml | 10 | T1059.005/T1059.007 cscript/wscript/jscript abuse (with .vbs/.js from temp/Recycle Bin/HTTP, parented by Office macros) |
include_trusted_developer_utilities.xml | 12 | T1127 (msbuild generic and from temp, csc, vbc, jsc, ilasm, tracker /d, dnx, rcsi, csi, ngen) |
include_xsl_script_processing.xml | 6 | T1220 XSL Script Processing (WMIC and msxsl variants) |
include_persistence_via_lolbas.xml | 10 | T1547.001 / T1053.005 / T1543.003 / T1546.012 (at, schtasks variants, sc create binPath, reg add Run/RunOnce/IFEO) |
include_discovery_recon.xml | 15 | T1033/T1069/T1087/T1018/T1057/T1082/T1016 discovery commands (whoami, net group, nltest, quser, qwinsta, tasklist /svc, systeminfo, route, arp) |
include_amsi_bypass_patterns.xml | 8 | T1562.001 AMSI bypass strings in PowerShell command lines |
include_dotnet_unmanaged_abuse.xml | 8 | T1218 / T1127 .NET unmanaged execution (csi, Microsoft.Workflow.Compiler, jsc, dotnet from temp/Public, InstallUtil/RegSvcs/RegAsm from AppData) |
include_uncommon_lolbas.xml | 20 | T1218 long-tail rare LOLBAS plus WSL detection (replace, runscripthelper, AgentExecutor, AppInstaller, ConfigSecurityPolicy, dnscmd /serverlevelplugindll, hh, ttdinject, OfflineScannerShell, MSDeploy, Squirrel, Update.exe, WorkFolders, wsl.exe) |
| Total | 153 | -- |
AMSI Bypass Limitation
The AMSI bypass patterns module covers known string-based bypass techniques (amsiInitFailed, AmsiScanBuffer, AmsiContext, AmsiUtils, etc.). These strings are derived from public bypass tools. Determined attackers rotate strings or use unpublished bypass techniques not covered by this module. Treat this module as one signal among many, and pair with broader PowerShell behavioral analytics in your SIEM. Advanced users should extend the module with site-specific patterns observed in their environment.
OT False Positive Tuning Guide
LOLBAS detection in OT environments requires balancing detection coverage with operational stability. The Tier 1/Tier 2 split exists precisely for this reason: baseline configs stay conservative, advanced configs accept more noise.
Common False Positive Sources
- SCCM and management agents: System Center Configuration Manager and similar agents may invoke
certutil,bitsadmin,powershell -encodedcommand, and WMIC for legitimate management tasks. Identify the parent service and exclude by parent process. - Backup and monitoring agents: Veeam, Commvault, Zabbix, PRTG, and similar tools may run discovery commands, schedule tasks, and use BITS internally.
- Vendor maintenance scripts: OT vendor support scripts (Siemens, Rockwell, Schneider, etc.) sometimes use certutil for certificate operations or PowerShell for data collection. Document and exclude specific vendor script paths.
- Engineering workstations with Visual Studio: Tier 2 includes generic
msbuild.exedetection. Engineers running Visual Studio will trigger this constantly. Either use the baseline config (Tier 1 only) on engineering workstations, or exclude the Visual Studio install path. - Security tools: EDR products and red team training tools may legitimately exercise LOLBAS techniques. Identify and exclude.
Tuning Approach
- Deploy in a non-production lab or pilot environment first
- Monitor LOLBAS rule fire volume for 7-30 days
- Identify high-volume rules and the parent processes triggering them
- Add specific exclusions by parent process or full image path -- not by binary alone
- Document each exclusion in a per-site exclusion file or tuning notes
- Re-evaluate quarterly
Per-Rule Tuning Notes
Each LOLBAS rule in the curated configs (Tier 1 and Tier 2) has a maintainer XML comment block above it documenting the ATT&CK technique, the abuse pattern, OT-specific tuning notes, and investigation guidance. Read the source XML files for per-rule context. The Tier 3 modules also include header comments explaining false positive risks and tuning recommendations.
Composite Rule Logic
Tier 1 and most Tier 2 LOLBAS rules use Sysmon's composite <Rule groupRelation="and"> elements. A composite Rule fires only when ALL inner conditions match. This is essential for high-precision LOLBAS detection that scopes by binary AND command-line pattern simultaneously.
<Rule name="technique_id=T1218.005|T1105,technique=Mshta,detection=Mshta loading remote HTA over HTTP/HTTPS"
groupRelation="and">
<Image condition="end with">\mshta.exe</Image>
<CommandLine condition="contains">http</CommandLine>
</Rule>This rule fires only when both conditions match: the process is mshta.exe AND its command line contains http. Either condition alone would not trigger.
Schema compatibility: Composite Rules are supported in Sysmon schema 4.20 and later. The ICS Watch Dog baseline schema 4.50 (Sysmon v13+) supports them.
Tagging convention: Per the ATT&CK Rule Tagging convention, the parent <Rule> element receives the tagged name. Inner field conditions stay untagged to avoid duplicate names in the event log.
Comparison with Other Sysmon Configs
| Project | LOLBAS Coverage | Approach |
|---|---|---|
| SwiftOnSecurity sysmon-config | Heavy inline | Single-file enterprise IT config with extensive LOLBAS rules baked in. Excellent coverage but no OT-specific FP profile. |
| olafhartong/sysmon-modular | Heavy modular | Dedicated include_living_off_the_land.xml module among 200+ modules. Sigma-level depth. Targets enterprise IT with Sysmon v15+. |
| SigmaHQ/sigma | Very heavy (rules) | Sigma rule library with comprehensive LOLBAS coverage. Sigma rules can be converted to Sysmon configs but are not Sysmon-native. |
| ICS Watch Dog | Three-tier (inline + modules) | Tier 1 baseline (12 detections), Tier 2 advanced configs (~20 detections), Tier 3 modules (153 rules across 13 modules). OT-friendly false positive profile preserved at the baseline level. |
The three-tier strategy is unique to ICS Watch Dog among Sysmon configuration projects. It addresses the OT-specific need for stable, low-FP detection at the baseline level while still offering Sigma-level depth for advanced users.
References
- LOLBAS Project -- the canonical catalog of Living off the Land Binaries and Scripts
- MITRE ATT&CK Enterprise Matrix
- T1218 System Binary Proxy Execution
- T1059.001 PowerShell
- T1047 Windows Management Instrumentation
- T1220 XSL Script Processing
- T1127 Trusted Developer Utilities Proxy Execution
- SigmaHQ process creation rules -- rich source for additional command-line patterns
- LOLRMM Project -- complementary catalog of remote monitoring and management tool abuse
- ICS Watch Dog ATT&CK Rule Tagging convention
- ICS Watch Dog Module Library overview