The objective of the LOLBAS venture is to doc each binary, script, and library that can be utilized for Living Off The Land methods.
All the completely different information may be discovered behind a elaborate frontend right here: https://lolbas-project.github.io (thanks @ConsciousHacker for this little bit of eyecandy and the staff over at https://gtfobins.github.io/). This repo serves as a spot the place we keep the YML information which might be utilized by the flowery frontend.
A LOLBin/Lib/Script should:
- Be a Microsoft-signed file, both native to the OS or downloaded from Microsoft.
- Have further “unexpected” performance. It is just not fascinating to doc supposed use circumstances.
- Exceptions are utility whitelisting bypasses
- Have performance that will be helpful to an APT or pink staff
Interesting performance can embrace:
- Executing code
- Arbitrary code execution
- Pass-through execution of different applications (unsigned) or scripts (by way of a LOLBin)
- Compiling code
- File operations
- Pass-through persistence using present LOLBin
- Persistence (e.g. cover information in ADS, execute at logon)
- UAC bypass
- Credential theft
- Dumping course of reminiscence
- Surveillance (e.g. keylogger, community hint)
- Log evasion/modification
- DLL facet-loading/hijacking with out being relocated elsewhere within the filesystem.
The History of the LOLBin
The phrase “Living off the land” was coined by Christopher Campbell (@obscuresec) & Matt Graeber (@mattifestation) at DerbyCon 3.
The time period LOLBins got here from a Twitter dialogue on what to name binaries that can be utilized by an attacker to carry out actions past their unique objective. Philip Goh (@MathCasualty) proposed LOLBins. A extremely scientific web ballot ensued, and after a normal consensus (69%) was reached, the identify was made official. Jimmy (@bohops) followed up with LOLScripts. No ballot was taken.
Common hashtags for these information are: