Living-off-the-land (LOTL) techniques pose a significant challenge to security operations, exploiting legitimate tools to execute malicious commands that evade traditional detection methods. To address this, we present a robust augmentation framework for cyber defense systems as Security Information and Event Management (SIEM) solutions, enabling the detection of LOTL attacks such as reverse shells through machine learning. Leveraging real-world threat intelligence and adversarial training, our framework synthesizes diverse malicious datasets while preserving the variability of legitimate activity, ensuring high accuracy and low false-positive rates. We validate our approach through extensive experiments on enterprise-scale datasets, achieving a 90\% improvement in detection rates over non-augmented baselines at an industry-grade False Positive Rate (FPR) of $10^{-5}$. We define black-box data-driven attacks that successfully evade unprotected models, and develop defenses to mitigate them, producing adversarially robust variants of ML models. Ethical considerations are central to this work; we discuss safeguards for synthetic data generation and the responsible release of pre-trained models across four best performing architectures, including both adversarially and regularly trained variants: https://huggingface.co/dtrizna/quasarnix. Furthermore, we provide a malicious LOTL dataset containing over 1 million augmented attack variants to enable reproducible research and community collaboration: https://huggingface.co/datasets/dtrizna/QuasarNix. This work offers a reproducible, scalable, and production-ready defense against evolving LOTL threats.

翻译：利用合法工具（Living-off-the-land，LOTL）技术对安全运营构成重大挑战，其通过滥用合法工具执行恶意命令以规避传统检测方法。为解决此问题，我们提出一种面向网络防御系统（如安全信息与事件管理（SIEM）解决方案）的稳健增强框架，通过机器学习实现对LOTL攻击（例如反向Shell）的检测。该框架结合真实威胁情报与对抗训练，在保持合法活动多样性的同时合成多元恶意数据集，从而确保高检测准确率与低误报率。我们通过企业级数据集的大规模实验验证该方法，在行业标准误报率（FPR）为$10^{-5}$的条件下，检测率较未增强基线提升90%。我们定义了能够成功规避未防护模型的黑盒数据驱动攻击，并开发了相应的防御机制以生成具有对抗鲁棒性的机器学习模型变体。伦理考量是本工作的核心：我们讨论了合成数据生成的安全措施，并负责任地发布了四种最佳性能架构的预训练模型（包括对抗训练与常规训练变体）：https://huggingface.co/dtrizna/quasarnix。此外，我们提供了一个包含超过100万个增强攻击变体的恶意LOTL数据集，以支持可复现研究与社区协作：https://huggingface.co/datasets/dtrizna/QuasarNix。本工作为应对持续演化的LOTL威胁提供了一种可复现、可扩展且可直接投入生产的防御方案。