{
	"id": "f20dba98-2187-4bc7-916a-8d1fa941b75e",
	"created_at": "2026-04-06T00:22:06.862938Z",
	"updated_at": "2026-04-10T03:21:17.43625Z",
	"deleted_at": null,
	"sha1_hash": "3f9b9db088d1049ab8248c8ae702b76598be399d",
	"title": "Threat Hunting: From LOLBins to Your Crown Jewels",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 625833,
	"plain_text": "Threat Hunting: From LOLBins to Your Crown Jewels\r\nBy Niv Yona\r\nArchived: 2026-04-05 20:07:41 UTC\r\nContinuous, real-time threat hunting is one of the key capabilities that organizations need today. By sharing the strategies\r\nthat our Threat Hunting and Incident Response teams use, I hope to show you how you can implement threat hunting on\r\nyour network as an integral part of your security operations.\r\nWhat Does Threat Hunting Mean?\r\nThreat hunting involves proactive search for adversarial activity on the network, as opposed to the more common reactive\r\napproach of simply responding to incidents that have already been detected. Threat actors are constantly evolving and\r\nadapting to bypass security solutions. \r\nAs a defender you need to learn how to identify not only single, static items or behaviors such as a malicious file hash or\r\ndomain, but also chains of behavior. In certain combinations, some chains of behaviors are either extremely rare or represent\r\nan advantage to an attacker. Your team must also know how to differentiate between the benign use and the abuse of these\r\nlegitimate tools for malicious activities.\r\nWhile automated solutions such as firewalls, antivirus (AV), and Endpoint Detection and Response (EDR) products can\r\ndetect many attacks, only a proactive approach by a threat hunter can uncover some techniques and behavioral patterns. For\r\ninstance, “living off the land binaries” (LOLBins) executions, which use legitimate tools for malicious purposes might need\r\na human eye to get a verdict.\r\nThreat hunters continuously and proactively analyze different telemetry data, discovering new dimensions to each\r\ninvestigation to separate benign “noise” from actual attacks. Organizations can benefit from this kind of work to integrate\r\nnewly discovered techniques and patterns into their solution to enhance their detection capabilities. \r\nThreat hunters analyze telemetry data and logs to:\r\nLook for malicious behavior, or Indicators of Behavior (IOBs) on endpoints and for process activities, connections\r\nand more.\r\nLeverage IOBs to identify unknown threats instead of relying on Indicators of Compromise (IOCs) from known\r\nthreats.\r\nTransform tactics, techniques, and procedures (TTPs) into tactical hunting queries to surface attacks at their earliest\r\nstages.\r\nHunting Methodology\r\nLet’s look at the methodology and some examples of what you can do:\r\nOrganize Your Knowledge\r\nThe first step is to gain access to information about TTPs and what is being used right now in the cybersecurity world. \r\nThere are many useful resources available that you can leverage for threat hunting: \r\nSecurity researchers on Twitter and LinkedIn, such as @CR_Nocturnus\r\nSecurity vendors’ blog posts, such as our Cybereason Blog, FireEye, Cisco Talos, SecureList, etc.\r\nThreat reports - look for threat intelligence reports that are relevant to your industry. Try to collaborate with other\r\ncybersecurity experts working in the same industry. Many are willing to combine efforts of defense against their\r\nindustry’s threat actors, a good example is this Reddit.\r\nMITRE ATT\u0026CK - a great resource to get ideas for hunting queries. Start with reading relevant techniques and hunt\r\nfor them in your network \r\nSometimes these resources will be pretty straightforward and contain IOCs and Yara Rules, and sometimes they have a\r\ndeep-dive analysis that will allow you to create IOBs and hunting queries. Investing in developing your threat hunting\r\nmethodology will contribute to enriching your skills and knowledge down the line. \r\nHunting for LOLBins\r\nOnce you have a topic you want to dive into, start by deepening your knowledge on it. For this blog, we’ll focus on\r\nLOLBins, a topic that is easy to start with. LOLBins has been one of the hottest topics in the industry in the last few years. \r\nWhat are LOLBins?\r\nhttps://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels\r\nPage 1 of 6\n\nLOLBins means the abuse of legitimate and trusted binaries for malicious activities. In the past few years, we’ve seen more\r\nand more threat actors that are using LOLBins to evade detection. LOLBins can be used to perform various activities at\r\nalmost every aspect of the MITRE Tactics.  \r\nActors can use LOLBins to download, execute and upload files, maintain persistence, bypass UAC, enumeration, lateral\r\nmovement, exfiltration, and so on.  There are many resources like blog posts, tweets, and GitHub pages with extensive\r\ninformation about LOLBins, here are some examples:\r\nChaes Malware - campaign targeting customers of a larger e-commerce platform that abuses msiexec, wscript and\r\ninstallutil\r\nEgregor Ransomware -  ransomware variant that has recently been identified in several sophisticated attacks on\r\norganizations worldwide. Egregor abuses rundll32 and bitsadmin\r\nAstaroth Malware - information stealer that was recognized in Europe and mainly affected Brazil, it abuses regsvr32,\r\nwmic and bitsadmin\r\nRamnit Trojan -  sLoad and Ramnit pairing in sustained campaigns against the UK and Italy, it abuses bitsadmin,\r\ncertutil and wscript\r\nA great resource to follow is this GitHub page called the LOLBAS Project. On this GitHub page, there is a summary of\r\nwidely known trusted binaries that can be abused for malicious activities. \r\nEvery binary has information as to which types of actions can be abused and examples of how to do it. Those examples will\r\nhelp us to create hunting queries and look for anomalies in those processes. \r\nAs a threat hunter, I would like to focus on the trending binaries and see how they act in real life. Let’s look at BITSadmin\r\nas our example. We’ll start by looking online at what this tool is used for. By searching in Google, we can find in\r\nMicrosoft’s documentation that BITSAdmin is a command-line tool that you can use to create, download, or upload jobs and\r\nmonitor their progress. \r\nIn the next step, we’ll look at how attackers abuse this tool. By reading the BITSadmin page in the LOLBAS Project we will\r\nlearn that BITSadmin can be used to download files from external sources, execute files, as well as copy and add data to\r\nADS. By reading blog posts about this tool we can find executions of this tool from real attacks. We can learn about the used\r\ncommand line, process tree behavior, suspicious file events and base our hunting queries on those activities. \r\nWe will use some blog posts to see real-life examples of abuse of BITSadmin:\r\nIn the Egregor Ransomware attack, BITSadmin was used to download one of the payloads:\r\nAbuse of BITSadmin as seen in the Cybereason XDR Platform\r\nFrom this tweet we can learn about the way BITSadmin is used to copy and move files:\r\nhttps://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels\r\nPage 2 of 6\n\nFrom one of the Astaroth attacks, we can learn that BITSadmin was used to download multiple binary blobs from a\r\ncommand-and-control (C2) server: \r\nLooking at VirusTotal, sandbox reports will also help us understand related chains of executions .For example we can\r\nsee in VirusTotal the usage of CMD, wscript.exe and BITSadmin when we look at the Astaroth sample:\r\nI also recommend that you test it yourself, and run the tool or malware that abused this tool in a safe environment and see\r\nhow it works.\r\nLeveraging only these few examples, we can learn what types of behavioral hunting queries we can build in our network.\r\nThe first thing I recommend is looking for executions of the tool in your network and excluding all legitimate executions.\r\nThere are many ways to exclude legitimate instances. \r\nLook for patterns - legitimate command lines, parent processes, machine name, username, etc. Try to be as specific as you\r\ncan, so you won’t miss a malicious instance. Explore the timeframe of the attack. Look for TTPs that occurred before and\r\nafter the specific time of the attack phase. Sometimes things can happen in parallel and won’t be part of the execution flow\r\nso it’s worthwhile to expand your search to a wider timeframe. \r\nThis procedure will not always work. Sometimes there are too many different instances of execution and it will be too hard\r\nto exclude everything. In those cases, we will start to add filters and look for patterns. The most useful filters I use are the\r\ncommand line and process tree (parent or child). If we look at the examples above we can create hunting queries that can\r\neasily be created in the Cybereason investigation screen or on any other tool that logs process executions:\r\nAll BITSadmin processes with command line contains: (“/transfer” OR “http” OR “/download” OR “/addfile”)\r\nhttps://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels\r\nPage 3 of 6\n\nhttps://\u003ccustomer_name\u003e.cybereason.net/#/s/search?queryString=0\u003c-\r\nProcess\"elementDisplayName:@bitsadmin,commandLine:@%2Ftransfer%7Chttp%7C%2Fdownload%7Caddfile\"\u0026grouping=elementDisplayName\r\nAll BITSadmin processes with parent process name = Wscript\r\nhttps://\u003ccustomer_name\u003e.cybereason.net/#/s/search?queryString=0\u003c-Process\"elementDisplayName:@bitsadmin\"-\r\n\u003eparentProcess\"elementDisplayName:$wscript.exe\"\u0026grouping=elementDisplayName\r\nDeep-Dive Into Your Crown Jewels \r\nGoing back to our methodology, there are many other things you can do to hunt in your environment. FOCUS! Learn about\r\nyour network architecture and find your crown jewels. \r\nReview External/Outgoing Connections - MITRE: Exfiltration\r\nYou can do that by following logs from the Firewall, Deep Packet Inspection tools, Cybereason investigation screen, or any\r\nother network logs/tool. Look for anomalous connections, this might be connections outside of your internal network, odd\r\nDNS requests, upload to cloud services, etc. \r\nSeveral examples of queries you can easily run in Cybereason:\r\nAll external connections from a machine (edit to your list of machines):\r\nhttps://\u003ccustomer_name\u003e.cybereason.net/#/s/search?queryString=0\u003c-\r\nConnection\"isExternalConnection:true,ownerMachine:@\u003cyour_machine\u003e\"\r\nAll outgoing connections from a machine (this can be a good query for environments that use proxy):\r\nhttps://\u003ccustomer_name\u003e.cybereason.net/#/s/search?queryString=0\u003c-\r\nConnection\"ownerMachine:@\u003cyour_machine\u003e,direction:%3DOUTGOING%7COUTGOING_GUESSED\"\r\nFocus your efforts by looking for shell processes (cmd, PowerShell, and so on) that have external connections.\r\nAdversaries may abuse shell to execute commands, scripts, or binaries. You should review process activities that\r\nperform these connections. This query can be smoothly adapted to other processes that might be interesting to review.\r\nYou can also add additional filters, such as running from a temporary folder or look for connections from processes\r\nthat are unsigned. \r\nhttps://\u003ccustomer_name\u003e.cybereason.net/#/s/search?queryString=0\u003c-\r\nConnection\"ownerMachine:@\u003cyour_machine\u003e,isExternalConnection:true\"-\u003eownerProcess\"productType:%3DSHELL\"\r\nPersistence Mechanism - MITRE: Persistence\r\nYou can do that by interactively running “Autoruns” from Sysinternals. That will show you all auto-start applications, as\r\nwell as a list of Registry and file system locations available for auto-start configuration, or by simply running hunting\r\nqueries using your EDR. \r\nLook for anomalous autoruns, such as autorun Registry keys, WMI entries, Scheduled tasks, Services, etc. Hunt for artifacts\r\nthat execute from temporary folders, have image files that are not signed, running LOLBins, etc. \r\nHere are some examples of queries you can run easily in Cybereason:\r\nhttps://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels\r\nPage 4 of 6\n\nAutorun registry keys with suspicious locations https://\u003ccustomer_name\u003e.cybereason.net/#/s/search?queryString=0\u003c-\r\nAutorun\"value:@%5CAppData%5CRoaming%5C%7Cprogramdata%7C%5Clocal%5Ctemp,elementDisplayName:@%5Ccurrentversion%5Crun%\r\nScheduled tasks with suspicious locations\r\n- Tip: Software updates are common to those suspicious locations. Note that on some APT attacks threat actors are\r\nusing known software scheduled tasks for persistence, in those cases you should review the binary metadata to see if\r\nit's the original signed one\r\nhttps://\u003ccustomer_name\u003e.cybereason.net/#/s/search?queryString=0\u003c-\r\nExecutableTaskAction\"executablePath:@temp%7Cappdata%7Croaming%7Cprogramdata\"\u0026sorting=malopAndSuspicions\u0026sortingDirection=-1\u0026groupin\r\nAutorun registry keys with LOLBins \r\nhttps://\u003ccustomer_name\u003e.cybereason.net/#/s/search?queryString=0\u003c-\r\nAutorun\"value:@wscript%7Cmshta%7Cpowershell%7Cregsvr32%7Cbistadmin%7Ccertutil,elementDisplayName:@%5Ccurrentversion%5Crun%7CMe\r\nWrapping Up\r\nThreat hunting is a very broad and dynamic subject, and might be a bit intimidating to start with. The goal of this blog is to\r\nexpose you to this world and share some relatively simple hunting methods that you can try.\r\nThere are many other approaches to threat hunting, including searches for Indicators of Compromise (IOCs) or Indicators of\r\nBehavior (IOBs). While IOCs are static artifacts, such as file hashes, IP addresses, and domain names, IOBs are the set of\r\nbehaviors associated with an attack, independent of tools or artifacts. \r\nI hope that by reading this blog, you feel encouraged to start exploring this world. Start with easy steps like following\r\nsecurity researchers on Twitter or read the Cybereason blog and move from there.\r\nHappy Hunting!\r\nAbout the Author\r\nNiv Yona\r\nhttps://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels\r\nPage 5 of 6\n\nNiv Lona, IR Practice Director, leads Cybereason's incident response practice in the EMEA region. Niv began his career a\r\ndecade ago in the Israeli Air Force as a team leader in the security operations center, where he specialized in incident\r\nresponse, forensics, and malware analysis. In former roles at Cybereason, he focused on threat research that directly\r\nenhances product detections and the Cybereason threat hunting playbook, as well as the development of new strategic\r\nservices and offerings.\r\nAll Posts by Niv Yona\r\nSource: https://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels\r\nhttps://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-hunting-from-lolbins-to-your-crown-jewels"
	],
	"report_names": [
		"threat-hunting-from-lolbins-to-your-crown-jewels"
	],
	"threat_actors": [],
	"ts_created_at": 1775434926,
	"ts_updated_at": 1775791277,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3f9b9db088d1049ab8248c8ae702b76598be399d.pdf",
		"text": "https://archive.orkl.eu/3f9b9db088d1049ab8248c8ae702b76598be399d.txt",
		"img": "https://archive.orkl.eu/3f9b9db088d1049ab8248c8ae702b76598be399d.jpg"
	}
}