mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-25 22:39:27 +01:00

Go to file

Conor Richard c103cb3677 Adding 'Execute' categories to existing 'AWL Bypass' binaries.		2018-10-05 15:06:01 -04:00
Logo	Initial commit - LOLBAS V2.0	2018-06-09 00:15:06 +02:00
Mgmt-Scripts	Update scripts with new template. Fixed mgmt script for webportal. Adjustments to existing yml files	2018-09-26 11:41:58 +02:00
OSBinaries	Changed all OSBinaries according to the new template	2018-09-24 21:59:43 +02:00
OSLibraries	MD files generate from Script, and adjustments to readme	2018-09-14 15:48:52 +02:00
OSScripts	MD files generate from Script, and adjustments to readme	2018-09-14 15:48:52 +02:00
OtherBinaries	MD files generate from Script, and adjustments to readme	2018-09-14 15:48:52 +02:00
OtherMSBinaries	MD files generate from Script, and adjustments to readme	2018-09-14 15:48:52 +02:00
OtherScripts	MD files generate from Script, and adjustments to readme	2018-09-14 15:48:52 +02:00
yml	Adding 'Execute' categories to existing 'AWL Bypass' binaries.	2018-10-05 15:06:01 -04:00
Backlog.txt	Initial commit - LOLBAS V2.0	2018-06-09 00:15:06 +02:00
CONTRIBUTING.md	First stab at CONTRIBUTING. Addresses #3 .	2018-10-03 20:33:14 -06:00
LOLBins.md	Adjustments	2018-09-14 15:54:20 +02:00
LOLLibs.md	Adjustments	2018-09-14 15:54:20 +02:00
LOLScripts.md	Adjustments	2018-09-14 15:54:20 +02:00
Projectnotes.md	Added Projectnotes	2018-06-12 08:26:24 +02:00
README.md	Update README.md	2018-10-04 21:09:26 +02:00
YML-Template.yml	Update YML-Template.yml	2018-09-18 16:32:50 +02:00

README.md

Living Off The Land Binaries and Scripts (and now also Libraries)

There are currently three different lists:

The above files can be found behind a fancy frontend here: https://lolbas-project.github.io (thanks @ConsciousHacker for this bit of eyecandy and the team over at https://gtfobins.github.io/).

Goal

The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

Criteria

A LOLBin/Lib/Script must:

Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
Have extra "unexpected" functionality. It is not interesting to document intended use cases.
- Exceptions are application whitelisting bypasses
Have functionality that would be useful to an APT or red team

Interesting functionality can include:

Executing code
- Arbitrary code execution
- Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
Compiling code
File operations
- Downloading
- Upload
- Copy
Persistence
- Pass-through persistence utilizing existing LOLBin
- Persistence (e.g. hide data in ADS, execute at logon)
UAC bypass
Credential theft
Dumping process memory
Surveillance (e.g. keylogger, network trace)
Log evasion/modification
DLL side-loading/hijacking without being relocated elsewhere in the filesystem.

The History of the LOLBin

The phrase "Living off the land" was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation) at DerbyCon 3.

The term LOLBins came from a Twitter discussion on what to call binaries that can be used by an attacker to perform actions beyond their original purpose. Philip Goh (@MathCasualty) proposed LOLBins. A highly scientific internet poll ensued, and after a general consensus (69%) was reached, the name was made official. Jimmy (@bohops) followed up with LOLScripts. No poll was taken.

Common hashtags for these files are:

#LOLBin
#LOLBins
#LOLScript
#LOLScripts
#LOLLib
#LOLLibs

Thanks

As with many open-source projects, this one is the product of a community and we would like to thank ours:

The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project.
The domain http://lolbas-project.com has been registered by Jimmy (@bohops).
The logos for the project were created by Adam Nadrowski (@_sup_mane). We #@&!!@#! love them.