How to threat hunt Living Off The Land binaries

In this Help Net Security video, Lee Archinal, Senior Threat Hunter at Intel 471, walks through practical strategies for detecting malicious activity involving Living Off The Land binaries (LOLBins).

These are legitimate tools built into operating systems, such as PowerShell, that can be hijacked by attackers to evade detection. Archinal explains how to identify suspicious usage based on user roles, abnormal behavior, and log data, and dives into techniques such as encoded command detection, process injection, and time stomping.

He also highlights key resources like MITRE ATT&CK and Sysmon logs to help security teams build effective, data-driven threat hunting hypotheses.