8 LOLBins Every Threat Hunter Should Know

On-demand

Learn how adversaries abuse LOLBins and how you can uncover these activities using threat hunting recommendations.

Join expert threat hunters from CrowdStrike’s Falcon OverWatch Elite team as they investigate how adversaries abuse living-off-the-land binaries (LOLBins) to stealthily achieve actions on objectives. After dissecting a full year’s worth of interactive intrusion data, Falcon OverWatch Elite threat hunters identified the most commonly abused LOLBins — and distilled the critical insights that defenders need to know to protect their organizations against the misuse of these binaries. 

Watch this CrowdCast to learn more about:

  • Major trends associated with LOLBin abuse
  • Real-world examples of Rundll32, wmic/WmiPrvSE, and Msiexec abuse taken from actual Falcon OverWatch observed intrusions
  • Tactical and practical threat hunting recommendations to help you uncover this activity in your environment

After watching the CrowdCast, you can find additional LOLBins featured in the new research paper 8 LOLBins Threat Hunters Should Know, which provides in-depth analysis and further insight into this adversarial tradecraft.

Featured Speakers

James Weekes

Sr. Threat Response Analyst, OverWatch Elite

James Weekes, a Senior Threat Response Analyst on Falcon OverWatch Elite, has over six years of cybersecurity experience. He is on a team of threat hunters who are dedicated to helping clients detect and disrupt advanced adversary activity to better defend their organizations. Prior to joining CrowdStrike, James has worked as a SOC Analyst, Incident Responder and Lead Threat Detection Engineer. Throughout his career he has delivered Host- and Network-based Threat Hunting spanning Defense and Aerospace, Critical National Infrastructure and Government.

Jessica Lee

Sr. Threat Response Analyst, OverWatch Elite

Jessica Lee, a Senior Threat Response Analyst on Falcon OverWatch Elite, has over eight years of cybersecurity experience. She is on a team of threat hunters who are dedicated to helping clients detect and disrupt sophisticated adversary activity to better defend their organizations. Prior to her current role with CrowdStrike, Jessica helped to build threat intelligence capabilities at two global organizations, one being an oil and gas supermajor and the other a global financial organization with a focus on investments and insurance. Additionally, Jessica holds the GCFA, GCIA, GCTI, and GSEC GIAC certifications.

Wietze Beukema

Sr. Threat Response Analyst, OverWatch Elite

Wietze Beukema is a Senior Threat Response Analyst on CrowdStrike’s Falcon OverWatch Elite team. In this role, he proactively hunts for advanced threats in the environments of large, multinational organizations. Next to being one of the maintainers of the community-driven LOLBAS Project, he has previously presented at industry-wide recognized conferences, including DEF CON, BSides London, EU MITRE ATT&CK Community and SANS DFIR Summit, on topics including adversary emulation, DLL Hijacking and Command-Line Obfuscation.

Tech Hub

  • OS icon
  • deployment icon
  • installation icon

For technical information on installation, policy configuration and more, please visit the CrowdStrike Tech Hub.

Visit Tech Hub