Abstract:

Modern advanced cyber attacks increasingly use native operating system tools to hide their presence and bypass security mechanisms. One popular technique is living-off-the-land binaries (LOLBins), which make classic signature-based detection difficult. This article presents
a proprietary methodology for identifying LOLBin abuse in Windows environments, based on telemetry collected by Sysmon and machine learning models. The research was conducted in a controlled virtual machine environment, where attack scenarios were carried out using PowerShell commands and selected LOLBins, while generating a realistic user activity profile. The recorded logs were processed, labeled, and analyzed for features, and then used in the training process of classification models such as Random Forest and XGBoost. The results indicate that incorporating the context of natural user behavior significantly reduces the number of false alarms and increases the effectiveness of detection for unknown attack variants. The article discusses the process of creating a test environment, the data processing procedure, the selection of input features, and the results of comparing different algorithms. The limitations of the presented solution and future research directions are also indicated, including the extension of scenarios to other system platforms and integration with SIEM-type tools.