hunting-for-living-off-the-land-binaries

Featured

Proactively hunt for adversary abuse of legitimate system binaries (LOLBins) to execute malicious payloads while evading detection.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Hunting for Living-off-the-Land Binaries (LOLBins) ## When to Use - When investigating fileless malware campaigns that bypass traditional AV - During proactive threat hunts targeting defense evasion techniques - When EDR alerts fire on legitimate binaries executing unusual child processes - After threat intelligence reports indicate LOLBin abuse in active campaigns - During red team/purple team exercises validating detection coverage for T1218 ## Prerequisites - Access to EDR telemetry (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne) - SIEM with process creation logs (Sysmon Event ID 1, Windows Security 4688) - Familiarity with LOLBAS Project (lolbas-project.github.io) reference list - PowerShell command-line logging enabled (Module Logging, Script Block Logging) - Network proxy or firewall logs for correlating outbound connections ## Workflow 1. **Define Hunt Hypothesis**: Formulate a hypothesis based on threat intel (e.g., "Adversaries are using certutil.exe to download second-stage payloads from external domains"). 2. **Identify Target LOLBins**: Select specific binaries from the LOLBAS Project database to hunt for, prioritizing those matching current threat landscape (certutil, mshta, rundll32, regsvr32, msiexec, wmic, cmstp, bitsadmin). 3. **Collect Process Telemetry**: Query EDR or SIEM for process creation events involving target LOLBins with unusual command-line arguments, parent processes, or execution contexts. 4. **Baseline Normal Behavior**: Est...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

hunting-for-lolbins-execution-in-endpoint-logs

Hunt for adversary abuse of Living Off the Land Binaries (LOLBins) by analyzing endpoint process creation logs for suspicious execution patterns of legitimate Windows system binaries used for malicious purposes.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-living-off-the-land-attacks

Detect abuse of legitimate Windows binaries (LOLBins) used for living off the land attacks. Monitors process creation, command-line arguments, and parent-child relationships to identify suspicious LOLBin execution patterns.

12,642 Updated today
mukul975
AI & Automation Featured

detecting-living-off-the-land-with-lolbas

Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32 via process telemetry, Sigma rules, and parent-child process analysis

12,642 Updated today
mukul975
AI & Automation Featured

detecting-fileless-malware-techniques

Detects and analyzes fileless malware that operates entirely in memory using PowerShell, WMI, .NET reflection, registry-resident payloads, and living-off-the-land binaries (LOLBins) without writing traditional executable files to disk. Activates for requests involving fileless threat detection, in-memory malware investigation, LOLBin abuse analysis, or WMI persistence examination.

12,642 Updated today
mukul975
DevOps & Infrastructure Featured

hunting-for-living-off-the-cloud-techniques

Hunt for adversary abuse of legitimate cloud services for C2, data staging, and exfiltration including abuse of Azure, AWS, GCP services, and SaaS platforms.

12,642 Updated today
mukul975