LOLBAS/README.md

80 lines
3.5 KiB
Markdown
Raw Normal View History

2018-05-04 15:40:56 +00:00
# Living Off The Land Binaries and Scripts (and now also Libraries)
2018-04-18 10:05:49 +00:00
2018-05-09 21:11:32 +00:00
![Alt text](Logo/LOLBAS.png?raw=true "LOLBAS"
2018-05-07 22:27:43 +00:00
There are currently three different lists.
2018-04-18 10:05:49 +00:00
2018-04-18 16:33:16 +00:00
* [LOLBins](LOLBins.md)
2018-04-25 21:39:31 +00:00
* [LOLLibs](LOLLibs.md)
2018-04-18 16:33:16 +00:00
* [LOLScripts](LOLScripts.md)
2018-04-18 10:05:49 +00:00
2018-04-19 16:14:08 +00:00
2018-05-07 22:27:43 +00:00
The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques.
Definition of LOLBAS candidates (Binaries,scripts and libraries):
* LOLBAS candidates must be present on the system by default or introduced by application/software "installation" from a "reputable" vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards.
* Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 - execute code from SCT online)
* executing code
* downloading/upload files
* bypass UAC
* compile code
* getting creds/dumping process
* surveillance (keylogger, network trace)
* evade logging/remove log entry
* side-loading/hijacking of DLL
* pass-through execution of other programs, script (via a LOLBin)
* pass-through persistence utilizing existing LOLBin
* persistence (Hide data in ADS, execute at logon etc)
Right now it is me that decides if the files are a valid contribution or not.
I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything.
Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy.
2018-05-04 15:40:56 +00:00
Every binary, script and library has it's own .md file in the subfolders. That way I should be easier to maintain and reuse.
2018-04-19 16:14:08 +00:00
I have borrowed examples from the community (And a lot from Red Canary - Atomic Red Team - Thanks @subtee)
Would really love if the community could contribute as much as possible. That would make it better for everyone.
If you think it is hard to make a pull request using github, don't hasitate to send me a tweet and I will add the contribution for you.
2018-05-07 22:27:43 +00:00
## STORY
2018-05-09 08:08:46 +00:00
"Living off the land" was coined by Matt Graeber - @mattifestation <3
2018-05-09 08:08:08 +00:00
One of the first "Living Off The Land" talks (That I know of) is this one:
https://www.youtube.com/watch?v=j-r6UonEkUw
2018-05-04 15:40:56 +00:00
The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here:
https://twitter.com/MathCasualty/status/969174982579273728
2018-05-07 22:27:43 +00:00
The term LOLScripts came from Jimmy - @bohops:
https://twitter.com/bohops/status/984828803120881665
2018-05-04 15:40:56 +00:00
Common hashtags for these files are:
2018-05-07 22:27:43 +00:00
#LOLBin
#LOLBins
#LOLScript
#LOLScripts
#LOLLib
#LOLLibs
2018-05-04 15:40:56 +00:00
A "highly scientific poll" was also conducted to agree (69% yes) on the name LOLBins.
https://twitter.com/Oddvarmoe/status/985432848961343488
2018-04-19 16:14:08 +00:00
2018-05-07 22:29:29 +00:00
The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
2018-05-07 22:27:43 +00:00
2018-05-09 21:11:32 +00:00
The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man!
Love this one:
![Alt text](Logo/LOL1.png?raw=true "Living Off The Land"
2018-05-07 22:27:43 +00:00
## Future work / Todo list
2018-05-07 22:29:29 +00:00
- [ ] Better classification system
- [ ] Load DLL
- [ ] Arbitrary unsigned code execution
- [ ] Launch other process
- [ ] Better contribution template
- [ ] Provide the project in DB format (sqlite)
- [ ] Re-factor project (version 2.0) and move it to a dedicated project site (https://github.com/LOLBAS-Project)
- [ ] Map it to the Mitre Att&ck <3
- [ ] LOLGuiBins
2018-05-07 22:36:50 +00:00
- [ ] More list based on classifications
- [ ] LOLBAS lists for Linux? OSX?