diff --git a/Backlog.txt b/Backlog.txt index 605c424..26e2f84 100644 --- a/Backlog.txt +++ b/Backlog.txt @@ -5,7 +5,7 @@ Dbghost.exe Robocopy.exe Needs examples Bitsadmin.exe bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Execution/Bitsadmin.md $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1 Vssadmin.exe vssadmin.exe Delete Shadows /All /Quiet -notepad.exe Gui - Download files using Open (A lot of other programs as well) +notepad.exe Gui - Download files using Open (A lot of other programs as well) LOLGuiBins? wbadmin.exe wbadmin delete catalog -quiet psexec.exe Remote execution of code java.exe -agentpath: or -agentlib: @@ -14,5 +14,4 @@ odbcad32.exe GUI DLL Loading WseClientSvc.exe - https://blog.huntresslabs.com/abusing-trusted-applications-a719219220f dvdplay.exe http://www.hexacorn.com/blog/2018/03/15/beyond-good-ol-run-key-part-73/ http://www.hexacorn.com/blog/category/living-off-the-land/pass-thru-command-execution/ - - +https://twitter.com/Hexacorn/status/993498264497541120 diff --git a/README.md b/README.md index db0bb2c..d2edbc5 100644 --- a/README.md +++ b/README.md @@ -1,30 +1,69 @@ # Living Off The Land Binaries and Scripts (and now also Libraries) -There are three different lists. +There are currently three different lists. * [LOLBins](LOLBins.md) * [LOLLibs](LOLLibs.md) * [LOLScripts](LOLScripts.md) -The goal of these lists are to document every binary, script and library that can be used for other purposes than they are designed to. +The goal of these lists are to document every binary, script and library that can be used for Living Off The Land techniques. + +Definition of LOLBAS candidates (Binaries,scripts and libraries): +* LOLBAS candidates must be present on the system by default or introduced by application/software "installation" from a "reputable" vendor or open-source entity. Otherwise, LOLBAS determination is subject to scrutiny by the (security) community and agreed upon standards. +* Can be used as an attacker tool directly or can perform other actions than what it was intended to do (Ex: regsvr32 - execute code from SCT online) + * executing code + * downloading/upload files + * bypass UAC + * compile code + * getting creds/dumping process + * surveillance (keylogger, network trace) + * evade logging/remove log entry + * side-loading/hijacking of DLL + * pass-through execution of other programs, script (via a LOLBin) + * pass-through persistence utilizing existing LOLBin + * persistence (Hide data in ADS, execute at logon etc) + +Right now it is me that decides if the files are a valid contribution or not. +I try my best to conclude with help from others in the InfoSec community and I do not wish to exclude anything. +Also, please be patient if it takes some time for your contribution to be added to the list. I am just one guy. + Every binary, script and library has it's own .md file in the subfolders. That way I should be easier to maintain and reuse. I have borrowed examples from the community (And a lot from Red Canary - Atomic Red Team - Thanks @subtee) Would really love if the community could contribute as much as possible. That would make it better for everyone. If you think it is hard to make a pull request using github, don't hasitate to send me a tweet and I will add the contribution for you. + +## STORY The term LOLBins came from a twitter discussion on what to call these binaries. It was first proposed by Philip Goh - @MathCasualty here: https://twitter.com/MathCasualty/status/969174982579273728 +The term LOLScripts came from Jimmy - @bohops: +https://twitter.com/bohops/status/984828803120881665 + Common hashtags for these files are: -#LOLBin -#LOLBins -#LOLScript -#LOLScripts -#LOLLib -#LOLLibs +#LOLBin +#LOLBins +#LOLScript +#LOLScripts +#LOLLib +#LOLLibs A "highly scientific poll" was also conducted to agree (69% yes) on the name LOLBins. https://twitter.com/Oddvarmoe/status/985432848961343488 +The domain http;//lolbins.com has been registered by an unknown individual and redirected it to this project. (Thank you) + + +## Future work / Todo list +* Better classification system + * Load DLL + * Arbitrary unsigned code execution + * Launch other process +* Better contribution template +* Provide the project in DB format (sqlite) +* Re-factor project (version 2.0) and move it to a dedicated project site (https://github.com/LOLBAS-Project) +* Map it to the Mitre Att&ck <3 +* LOLGuiBins +* More list based on classifications \ No newline at end of file