LOTL Threat Detection Summary

Scan completed: 2026-02-22 06:45:00 • System: TEST-PC-01\Administrator

Total Findings

High Risk

Medium Risk

Low Risk

PowerShell Findings (2)

Category: PowerShell

Description: Scheduled task contains encoded PowerShell command (common LOTL technique).

Evidence:

Task: LOT-Squatch-Test-Task
Arguments: -EncodedCommand VwByAGkAdABlAC0ASABvAHMAdAAgACcAVABlAHMAdAAgAHQAYQBzAGsAIAByAHUAbgBuAGkAbgBnACcA

Remediation: Review scheduled task 'LOT-Squatch-Test-Task' for legitimacy. Remove if suspicious.

Detected: 06:44:32

Category: PowerShell

Description: Registry run key contains encoded PowerShell command.

Evidence:

Registry: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run\LOT-Squatch-Test
Value: powershell.exe -Command Write-Host 'Test registry entry'

Remediation: Review registry entry and remove if suspicious.

Detected: 06:44:35

Category: LOLBAS

Description: PowerShell history contains command matching known LOLBAS pattern.

Evidence:

Command: certutil -decode encoded.txt decoded.txt

Remediation: Review PowerShell history and investigate command context.

Detected: 06:44:38

Category: Process

Description: powershell.exe spawned by svchost.exe (unusual parent).

Evidence:

Process: powershell.exe (PID: 1234)
Parent: svchost.exe (PID: 567)

Remediation: Investigate process and parent relationship.

Detected: 06:44:41

General LOTL Remediation Steps:

Isolate affected systems from the network if high-risk findings are present.
Review findings carefully – some may be legitimate administrative activity.
Remove malicious artifacts – delete suspicious scheduled tasks, registry entries, WMI subscriptions.
Monitor for recurrence – implement continuous monitoring for similar patterns.
Consider implementing application whitelisting (AppLocker, Windows Defender Application Control) to prevent unauthorized script/executable execution.

Note: This tool provides detection only. Always validate findings before taking action.