hunting-for-living-off-the-land-binaries

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). These are high-risk: they point to direct-downloads of an executable (.exe) and a remote scriptlet (.sct) hosted on clearly malicious/suspicious domains (evil.com, malicious.com), matching known delivery techniques (direct EXE download and regsvr32/Squiblydoo) used to distribute malware.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and workflows (e.g., "Check LOLBAS Project", "Review threat intel feeds" and Step 5.1 "Check destination IPs against VirusTotal, AbuseIPDB") explicitly require ingesting public/untrusted third‑party sources (LOLBAS website, VirusTotal/AbuseIPDB, vendor threat feeds and domains observed in logs) and using those results to guide hunts, create IOCs, and update detections, so external content can materially influence decisions and next actions.