There are currently three different lists.
The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques.
Definition of LOLBAS candidates (Binaries,scripts and libraries):
- LOLBAS candidates must be present on the system by default or introduced by application/software “installation” from a “reputable” vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards.
- Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 – execute code from SCT online)
- executing code
- downloading/upload files
- bypass UAC
- compile code
- getting creds/dumping process
- surveillance (keylogger, network trace)
- evade logging/remove log entry
- side-loading/hijacking of DLL
- pass-through execution of other programs, script (via a LOLBin)
- pass-through persistence utilizing existing LOLBin
- persistence (Hide data in ADS, execute at logon etc)
Right now it is me that decides if the files are a valid contribution or not. I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything. Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy.
Every binary, script and library has it’s own .md file in the subfolders. That way I should be easier to maintain and reuse. I have borrowed examples from the community (And a lot from Red Canary – Atomic Red Team – Thanks @subtee) Would really love if the community could contribute as much as possible. That would make it better for everyone. If you think it is hard to make a pull request using github, don’t hesitate to send me a tweet and I will add the contribution for you.
projects github repository