Detects LOLBin/LOLBAS abuse including certutil, regsvr32, mshta, rundll32 via Sysmon telemetry, Sigma rules, and parent-child process analysis for threat hunting.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
离地二进制文件、脚本和库(LOLBAS)是攻击者滥用的合法系统工具,用于在规避检测的同时执行恶意操作。本技能涵盖使用来自 Sysmon 和 Windows 事件日志的进程遥测,结合基于 Sigma 规则的检测,检测 certutil.exe、regsvr32.exe、mshta.exe、rundll32.exe、msbuild.exe 和其他 LOLBin 的滥用。
Detects LOLBin abuse including certutil, regsvr32, mshta, rundll32 via Sysmon telemetry, Sigma rules, and parent-child analysis. For threat hunting, SOC incident response, and detection rule building.
Detects LOLBins/LOLBAS abuse (certutil, regsvr32, mshta, rundll32) via Sysmon process telemetry, Sigma rules, and parent-child analysis for threat hunting and SOC investigations.
Detects Living Off The Land Binaries (LOLBAS) abuse like certutil, wmic, mshta in Windows event logs and Sysmon via process creation event matching against LOLBAS database. For threat hunting and SIEM rules.
Share bugs, ideas, or general feedback.
离地二进制文件、脚本和库(LOLBAS)是攻击者滥用的合法系统工具,用于在规避检测的同时执行恶意操作。本技能涵盖使用来自 Sysmon 和 Windows 事件日志的进程遥测,结合基于 Sigma 规则的检测,检测 certutil.exe、regsvr32.exe、mshta.exe、rundll32.exe、msbuild.exe 和其他 LOLBin 的滥用。