detecting-living-off-the-land-attacks

# Detecting Living Off the Land Attacks Monitor for suspicious use of legitimate Windows binaries (LOLBins) including certutil, mshta, rundll32, regsvr32, and others used in fileless and living-off-the-land attack techniques. ## When to Use - Building detection rules for SIEM or EDR platforms to catch LOLBin abuse in real time - Investigating alerts where legitimate system binaries appear in unexpected execution contexts - Threat hunting across endpoint telemetry for fileless attack indicators - Hardening application whitelisting policies (AppLocker, WDAC) to restrict dangerous LOLBin usage - Creating Sysmon configurations tuned to capture LOLBin-related process creation events - Responding to incidents where adversaries bypassed AV by using only built-in OS tools **Do not use** for blocking all LOLBin execution outright; these are legitimate system tools with valid administrative uses. Detection must focus on anomalous context (parent process, command-line arguments, network activity) rather than binary presence alone. ## Prerequisites - Sysmon v15+ installed on Windows endpoints with a tuned configuration (SwiftOnSecurity or Olaf Hartong baseline) - SIEM platform ingesting Sysmon Event IDs 1 (Process Create), 3 (Network Connection), 7 (Image Loaded), 11 (File Create) - Windows Event Log forwarding for Security Event IDs 4688 (Process Creation with command-line logging enabled) - LOLBAS project reference: https://lolbas-project.github.io/ - Python 3.8+ with `evtx`, `pa...