{"id":43902,"date":"2021-11-12T22:05:32","date_gmt":"2021-11-12T22:05:32","guid":{"rendered":"https:\/\/www.darkreading.com\/threat-intelligence\/open-source-project-aims-to-detect-living-off-the-land-attacks"},"modified":"2021-11-12T22:05:32","modified_gmt":"2021-11-12T22:05:32","slug":"open-source-project-aims-to-detect-living-off-the-land-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/","title":{"rendered":"Open Source Project Aims to Detect Living-Off-the-Land Attacks"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltdb317dc2ce8a2b56\/60e39b1dc64a06233d2e08d1\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg\" class=\"ff-og-image-inserted\"><\/div>\n<p>Attackers who use standard system commands during a compromise \u2014 a technique known as living off the land (LotL)&nbsp;\u2014 to avoid detection by defenders and endpoint security software may find their activities in the spotlight if a machine learning project open sourced by software firm Adobe this week bears fruit. <\/p>\n<p>The project, dubbed <a href=\"https:\/\/github.com\/adobe\/libLOL\" target=\"_blank\" rel=\"noopener\">LotL Classifier<\/a>, uses supervised learning and an open source dataset of real-world attack to extract features of specific commands and then classifies the command based on a features extracted using human analysis as a model. Those features are then used to determine whether the command is good or bad and to label the command with a set of tags that can be used for anomaly detection. <\/p>\n<p>Each feature by itself \u2014 such as accessing the \/etc\/shadow directory, where passwords hashes are typically stored, or access to Pastebin \u2014 may seem suspicious, but usually are not malicious, says Andrei Cotaie, technical lead for security intelligence and engineering at Adobe.<\/p>\n<p>&#8220;On their own, most of the tags \u2014 or tag types \u2014 have a high FP [false positive] rate, but combining them and feeding this combination through the machine learning algorithm can generate a higher rate of accuracy in the classifier,&#8221; he says, adding that Adobe has benefited from the machine learning model. &#8220;The LotL Classifier is operational in our environment and based on our experience, by suppressing reoccurring alerts, the LotL Classifier generates a few alerts per day.&#8221;<\/p>\n<p>Living off the land has become a widely used attacker tactic when targeting enterprises. Malware attacks are <a href=\"https:\/\/www.darkreading.com\/application-security\/sophos-living-off-the-land-is-the-law-of-the-land\/a\/d-id\/747561\" target=\"_blank\" rel=\"noopener\">just as likely to begin with a PowerShell command or Windows Scripting Host command<\/a>&nbsp;\u2014 two common administrative tools that can escape notice \u2014 than as a more traditional malware executable. In 2019, CrowdStrike&#8217;s incident response group found that &#8220;malware-free&#8221; attacks, another name for LotL, surpassed malware-based incidents. By the summer of 2021, they accounted for more than two-thirds of investigated incidents.<\/p>\n<p>&#8220;Attackers are increasingly attempting to accomplish their objectives without writing malware to the endpoint, using legitimate credentials and built-in tools (living off the land) \u2014 which are deliberate efforts to evade detection by traditional antivirus products,&#8221; CrowdStrike stated in its &#8220;<a href=\"https:\/\/www.crowdstrike.com\/resources\/reports\/threat-hunting-report-2021\/\" target=\"_blank\" rel=\"noopener\">2021 Threat Hunting Report<\/a>.&#8221;<\/p>\n<p>The LotL Classifier uses a supervised machine learning approach to extract features from a dataset of command lines and then creates decision trees that match those features to the human-determined conclusions. The dataset combines &#8220;bad&#8221; samples from open source data, such as industry threat intel reports, and the &#8220;good&#8221; samples come from Hubble, an open source security compliance framework, as well as Adobe&#8217;s own endpoint detection and response tools. <\/p>\n<p>The feature extraction process generates tags focused on binaries, keywords, command patterns, directory paths, network information, and the similarity of the command to known patterns of attack. Examples of suspicious tags might include a system-command execution path, a Python command, or instructions that attempt to spawn a terminal shell. <\/p>\n<p>&#8220;The feature extraction process is inspired by human experts and analysts: When analyzing a command line, people\/humans rely on certain cues, such as what binaries are being used and what paths are accessed,&#8221; <a href=\"https:\/\/medium.com\/adobetech\/living-off-the-land-lotl-classifier-open-source-project-b167484c8187\" target=\"_blank\" rel=\"noopener\">Adobe stated in its blog post<\/a>. &#8220;Then they quickly browse through the parameters and, if present in the command, they look at domain names, IP addresses, and port numbers.&#8221;<\/p>\n<p>Using those tags, the LotL Classifier uses a random-forest tree model that combines several decision trees to determine whether the code is malicious or legitimate. <\/p>\n<p>&#8220;Interestingly, these stealthy moves are exactly why it&#8217;s often very difficult to determine which of these actions are a valid system administrator and which as are an attacker,&#8221; the company stated in a blog post.&nbsp;<\/p>\n<p>The machine learning model can benefit companies in a variety of threat-analysis pipelines, says Adobe&#8217;s Cotaie. Threat hunters could use it as a local service or the model could process global security information and event management (SIEM) data to find anomalies by feeding another open source tool released by Adobe, <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/adobe-open-sources-tool-for-anomaly-research\" target=\"_blank\" rel=\"noopener\">the One-Stop Anomaly Shop (OSAS)<\/a>. The model has a component for Windows systems and a separate one for Linux, but it&#8217;s otherwise context independent. <\/p>\n<p>&#8220;The classifier is integrated into &#8230; One Stop Anomaly Shop (OSAS),&#8221; he says. &#8220;The parent project can model local or group system behavior using many context-dependent features and its anomaly detection features are complementary to the LotL classifier model.&#8221;<\/p>\n<p>Read More <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/open-source-project-aims-to-detect-living-off-the-land-attacks\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The machine learning classifier from Adobe can determine whether system commands are malicious and classify them using a variety of tags useful for security analysts.Read More <a href=\"https:\/\/www.darkreading.com\/threat-intelligence\/open-source-project-aims-to-detect-living-off-the-land-attacks\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-43902","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Open Source Project Aims to Detect Living-Off-the-Land Attacks 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Open Source Project Aims to Detect Living-Off-the-Land Attacks 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-12T22:05:32+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltdb317dc2ce8a2b56\/60e39b1dc64a06233d2e08d1\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Open Source Project Aims to Detect Living-Off-the-Land Attacks\",\"datePublished\":\"2021-11-12T22:05:32+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/\"},\"wordCount\":725,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltdb317dc2ce8a2b56\\\/60e39b1dc64a06233d2e08d1\\\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/\",\"name\":\"Open Source Project Aims to Detect Living-Off-the-Land Attacks 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltdb317dc2ce8a2b56\\\/60e39b1dc64a06233d2e08d1\\\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg\",\"datePublished\":\"2021-11-12T22:05:32+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/#primaryimage\",\"url\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltdb317dc2ce8a2b56\\\/60e39b1dc64a06233d2e08d1\\\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg\",\"contentUrl\":\"https:\\\/\\\/eu-images.contentstack.com\\\/v3\\\/assets\\\/blt66983808af36a8ef\\\/bltdb317dc2ce8a2b56\\\/60e39b1dc64a06233d2e08d1\\\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/open-source-project-aims-to-detect-living-off-the-land-attacks\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Open Source Project Aims to Detect Living-Off-the-Land Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Open Source Project Aims to Detect Living-Off-the-Land Attacks 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/","og_locale":"en_US","og_type":"article","og_title":"Open Source Project Aims to Detect Living-Off-the-Land Attacks 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-11-12T22:05:32+00:00","og_image":[{"url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltdb317dc2ce8a2b56\/60e39b1dc64a06233d2e08d1\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Open Source Project Aims to Detect Living-Off-the-Land Attacks","datePublished":"2021-11-12T22:05:32+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/"},"wordCount":725,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltdb317dc2ce8a2b56\/60e39b1dc64a06233d2e08d1\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/","url":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/","name":"Open Source Project Aims to Detect Living-Off-the-Land Attacks 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/#primaryimage"},"thumbnailUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltdb317dc2ce8a2b56\/60e39b1dc64a06233d2e08d1\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg","datePublished":"2021-11-12T22:05:32+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/#primaryimage","url":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltdb317dc2ce8a2b56\/60e39b1dc64a06233d2e08d1\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg","contentUrl":"https:\/\/eu-images.contentstack.com\/v3\/assets\/blt66983808af36a8ef\/bltdb317dc2ce8a2b56\/60e39b1dc64a06233d2e08d1\/machinelearning-ra2_studio-AdobeStock_325347053.jpeg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/open-source-project-aims-to-detect-living-off-the-land-attacks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Open Source Project Aims to Detect Living-Off-the-Land Attacks"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=43902"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43902\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=43902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=43902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=43902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}