Is this compatible with my SIEM?

Yes, the skill includes Sigma rules which are a vendor-neutral format that can be translated into queries for Splunk, ELK, Microsoft Sentinel, and other major SIEM platforms.

What are Living Off the Land (LotL) attacks?

LotL attacks involve adversaries using legitimate, pre-installed system tools (LOLBins) to perform malicious actions, allowing them to blend in with normal administrative activity and bypass traditional antivirus.

What logs are required for this skill to work?

It primarily utilizes Sysmon Event IDs (1, 3, 7, 11) and Windows Security Event ID 4688 with command-line logging enabled.

Which binaries does this skill monitor?

It focuses on commonly abused Windows binaries including certutil.exe, mshta.exe, rundll32.exe, regsvr32.exe, bitsadmin.exe, and powershell.exe, among others.

Can I use this for real-time blocking?

While possible, it is recommended for detection and monitoring rather than outright blocking, as these tools have valid administrative uses. Detection focuses on anomalous command-line arguments and parent processes.

Living Off the Land (LOLBins) Detection

Name: Living Off the Land (LOLBins) Detection
Author: micsapp

bymicsapp

0•

セキュリティとテスト

Identifies and monitors the suspicious use of legitimate Windows system binaries used in fileless attacks and defense evasion.

This skill provides a comprehensive framework for detecting 'Living Off the Land' (LotL) techniques by monitoring anomalous behavior in trusted Windows binaries (LOLBins). It includes specialized Sysmon configurations, Sigma detection rules for SIEM integration, and Python-based log analysis scripts to correlate process creation, network activity, and parent-child relationships. By focusing on execution context rather than binary presence alone, it helps security teams identify sophisticated threats that bypass traditional antivirus by utilizing built-in OS tools like certutil, mshta, and regsvr32.

主な機能

01Python scripts for automated log analysis and pattern matching

02Context-aware analysis to minimize false positives in admin environments

03Sigma-compliant detection rules for cross-platform SIEM integration

040 GitHub stars

05MITRE ATT&CK mapping for detected techniques (e.g., T1218, T1105)

06Pre-configured Sysmon XML rules for LOLBin monitoring

ユースケース

01Developing real-time detection rules for SIEM or EDR platforms

02Hardening endpoint security policies by identifying dangerous binary usage

03Threat hunting for fileless attack indicators in endpoint telemetry

主な機能

01Python scripts for automated log analysis and pattern matching

02Context-aware analysis to minimize false positives in admin environments

03Sigma-compliant detection rules for cross-platform SIEM integration

040 GitHub stars

05MITRE ATT&CK mapping for detected techniques (e.g., T1218, T1105)

06Pre-configured Sysmon XML rules for LOLBin monitoring

ユースケース

01Developing real-time detection rules for SIEM or EDR platforms

02Hardening endpoint security policies by identifying dangerous binary usage

03Threat hunting for fileless attack indicators in endpoint telemetry