hunting-living-off-the-land-binaries

Installation
SKILL.md

Hunting Living Off The Land Binaries

Instructions

Detect LOLBAS abuse by analyzing Windows process creation events (Event ID 4688 / Sysmon 1) and matching command lines against known malicious patterns from the LOLBAS project.

import json
import requests

# Fetch LOLBAS database
resp = requests.get("https://lolbas-project.github.io/api/lolbas.json")
lolbas_db = resp.json()

# Extract binary names and suspicious commands
for entry in lolbas_db:
    print(entry["Name"], [cmd["Command"] for cmd in entry.get("Commands", [])])
Installs
3
GitHub Stars
24.7K
First Seen
Mar 17, 2026
hunting-living-off-the-land-binaries — mukul975/anthropic-cybersecurity-skills