detecting-living-off-the-land-attacks

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). Most URLs are legitimate documentation pages (lolbas-project.github.io and attack.mitre.org) and are low risk, but the presence of a direct, untrusted executable link (http://evil.example.com/payload.exe — a clear direct .exe download over HTTP) makes the overall set high-risk because it can be used to distribute malware.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs installing/updating Sysmon and creating AppLocker/WDAC policies (and running sysmon64.exe and privileged PowerShell commands) which modify system configuration and require elevated/admin privileges, so it pushes the agent to change the machine state.