[addtool] LOLBAS #1195

piyush-security · 2023-05-13T07:32:06Z

[tags]
lol, scripts, scripts, red-team
[/tags]

[short_descr]
Living Off The Land Binaries, Scripts and Libraries
[/short_descr]

[long_descr]
The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

Criteria

A LOLBin/Lib/Script must:

Be a Microsoft-signed file, either native to the OS or downloaded from Microsoft.
Have extra "unexpected" functionality. It is not interesting to document intended use cases.
- Exceptions are application whitelisting bypasses
Have functionality that would be useful to an APT or red team

Interesting functionality can include:

Executing code
- Arbitrary code execution
- Pass-through execution of other programs (unsigned) or scripts (via a LOLBin)
Compiling code
File operations
- Downloading
- Upload
- Copy
Persistence
- Pass-through persistence utilizing existing LOLBin
- Persistence (e.g. hide data in ADS, execute at logon)
UAC bypass
Credential theft
Dumping process memory
Surveillance (e.g. keylogger, network trace)
Log evasion/modification
DLL side-loading/hijacking without being relocated elsewhere in the filesystem.

[/long_descr]

[image]

[/image]

gwen001 · 2023-05-13T09:47:06Z

Problem occured with the following fields:

Check the guidelines or use the template created for that purpose.

gwen001 · 2023-05-13T10:34:59Z

Issue correctly handled, tool is waiting for human validation.

gwen001 · 2023-06-07T08:14:55Z

Tool has been accepted by the team: https://offsec.tools/tool/lolbas

Thank you for your contribution!

gwen001 added question Further information is requested and removed question Further information is requested labels May 13, 2023

gwen001 added the enhancement New feature or request label May 13, 2023

gwen001 closed this as completed Jun 7, 2023

gwen001 added the accepted label Dec 7, 2023