Adversaries may use Microsoft-signed binaries or scripts in LolBins/LolScripts to execute arbitrary commands without triggering standard detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential phishing or lateral movement attempts that evade traditional detection.
KQL Query
let Bin = externaldata(Binary: string) [@"https://raw.githubusercontent.com/sonnyakhere/LOLBAS_to_CSV/main/lolbas.csv"] with (format="csv", ignoreFirstRecord=True);
let ioc = dynamic(["http", "ftp"]);
SecurityEvent
| where EventID == 4688
| where TimeGenerated between ( ago(1d) .. now() )
// Looking to exclude system initiated activity
| where SubjectUserName !endswith "$"
| where SubjectUserName != "SYSTEM"
| where ParentProcessName has_any (Bin)
// Looking to only include details of those that have command line activities matching 1 or more of the defined IOCs
| where CommandLine has_any (ioc)
| project TimeGenerated, SubjectMachineName, SubjectUserName, ParentProcessName, Process, CommandLine
| sort by TimeGenerated asc
id: 4a6030de-c11c-4206-b4ea-cd005ebf80a2
name: Suspicious command line tokens in LolBins or LolScripts
description: |
'This query identifies Microsoft-signed Binaries and Scripts that are not system initiated. This technique is commonly used in phishing attacks'
severity: Medium
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- Execution
relevantTechniques:
- T1218
query: |
let Bin = externaldata(Binary: string) [@"https://raw.githubusercontent.com/sonnyakhere/LOLBAS_to_CSV/main/lolbas.csv"] with (format="csv", ignoreFirstRecord=True);
let ioc = dynamic(["http", "ftp"]);
SecurityEvent
| where EventID == 4688
| where TimeGenerated between ( ago(1d) .. now() )
// Looking to exclude system initiated activity
| where SubjectUserName !endswith "$"
| where SubjectUserName != "SYSTEM"
| where ParentProcessName has_any (Bin)
// Looking to only include details of those that have command line activities matching 1 or more of the defined IOCs
| where CommandLine has_any (ioc)
| project TimeGenerated, SubjectMachineName, SubjectUserName, ParentProcessName, Process, CommandLine
| sort by TimeGenerated asc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.0| Sentinel Table | Notes |
|---|---|
SecurityEvent | Ensure this data connector is enabled |
Scenario: A system administrator uses schtasks.exe to schedule a legitimate maintenance script via command line.
Filter/Exclusion: Exclude processes initiated by the schtasks.exe command or processes with CommandLine containing schtasks /create.
Scenario: A developer runs PowerShell.exe to execute a script that is part of a CI/CD pipeline, such as Invoke-Command to deploy code.
Filter/Exclusion: Exclude processes with CommandLine containing PowerShell.exe -Command or originating from known CI/CD tool paths (e.g., C:\Program Files\Azure DevOps\).
Scenario: An IT support technician uses certutil.exe to import a trusted certificate into the local machine store.
Filter/Exclusion: Exclude processes with CommandLine containing certutil -addstore or originating from the certutil.exe binary path.
Scenario: A database administrator runs sqlcmd.exe to execute a T-SQL script for routine data backup.
Filter/Exclusion: Exclude processes with CommandLine containing sqlcmd -S or originating from SQL Server tools directories (e.g., C:\Program Files\Microsoft SQL Server\).
Scenario: A system update task uses msiexec.exe to install a legitimate Windows update via a scheduled task.
Filter/Exclusion: Exclude processes with CommandLine containing msiexec /i or originating from Windows Update directories (e.g., C:\Windows\Temp\).