APTs abuse built-in Windows binaries to avoid detection tools that rely on known-bad signatures. This reference covers every major LOLBin and LOLScript with which APT groups use it, how malicious usage differs from legitimate, and the SIEM detection query to write.