Skill UI

This skill provides a comprehensive framework for detecting Living Off the Land Binaries (LOLBAS) abuse, such as misuse of certutil, regsvr32, and mshta. It leverages process telemetry from Sysmon and Windows Event Logs, combined with advanced Sigma rule-based detection and parent-child process anomaly analysis. Ideal for SOC analysts and threat hunters investigating sophisticated adversaries aiming to evade traditional security controls.

Monitors Windows process creation events to flag Living Off The Land Binary abuse by matching Event ID 4688/Sysmon 1 logs against LOLBAS database entries, supporting threat hunting and SIEM rule creation for fileless attacks.